Content-Security-Policy: fenced-frame-src directive

The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) fenced-frame-src directive specifies valid sources for nested browsing contexts loaded into {{HTMLElement("fencedframe")}} elements.

<table class="properties"> <tbody> <tr> <th scope="row">CSP version</th> <td>1</td> </tr> <tr> <th scope="row">Directive type</th> <td>{{Glossary("Fetch directive")}}</td> </tr> <tr> <th scope="row">Fallback</th> <td> If this directive is absent, the user agent will look for the {{CSP("frame-src")}} directive (which falls back to the {{CSP("child-src")}} directive). </td> </tr> </tbody> </table>

Syntax

http

Content-Security-Policy: fenced-frame-src <source-expression-list>;

<source-expression-list>
- : A space-separated list of source expression values. Resources of this type may be loaded if they match any of the given source expressions. For this directive, the following source expression values are applicable:
  - The <host-source> value "https:"
  - The <scheme-source> value "https:"
  - The string "*"

Examples

Violation cases

Given this CSP header:

http

Content-Security-Policy: fenced-frame-src https://example.com/

The following sources will not load in a fenced frame:

https://not-example.com/ (domain doesn't match)
https://example.org/ (TLD doesn't match)

Syntax

Examples

Violation cases

Specifications

Browser compatibility

See also