frame-src
Content-Security-Policy Fetch

Overview

frame-src controls the origins of documents you may embed via <iframe>/<frame> — i.e., which sites can be placed inside your page. When omitted it falls back to child-src, and if that is absent, to default-src.

Details

You allowlist trusted embed targets such as YouTube (https://www.youtube.com), payment widgets, maps, and ad iframes. Keeping frame-src narrow blocks malicious iframe injection (phishing, clickjacking lures, drive-by loads).

A common confusion: frame-src controls the direction of you embedding others (embed), whereas frame-ancestors controls others embedding you (be embedded). They are opposites, so use frame-ancestors for clickjacking defense and frame-src for your embed allowlist. child-src, which once aimed to replace frame-src, was effectively re-split — today iframes use frame-src and workers use worker-src.

Syntax

Content-Security-Policy: frame-src 'self' https://www.youtube.com https://player.vimeo.com

Notes

Related directives