Seoxpert.io
Get started
mediumSecurity

CSP Missing frame-ancestors Directive

Most CSP-protected pages lack the frame-ancestors directive, leaving them vulnerable to clickjacking attacks.

By Seoxpert Editorial · Published

Why it matters

Without the frame-ancestors directive in your Content-Security-Policy, browsers may allow your pages to be embedded in iframes by malicious sites, even if X-Frame-Options is set. This exposes users to clickjacking attacks, which can compromise user trust and site security. Search engines may also flag or penalize insecure implementations.

Impact

Leaving this unresolved can allow attackers to embed your pages and perform clickjacking attacks.

How it's detected

An automated crawler inspects the Content-Security-Policy header for the presence of a frame-ancestors directive on each page.

Common causes

  • Relying solely on X-Frame-Options for clickjacking protection
  • Using default-src in CSP without specifying frame-ancestors
  • Copy-pasting outdated CSP templates
  • Lack of awareness about CSP's precedence over X-Frame-Options
  • Legacy configurations not updated for modern browser standards

How to fix it

Update your Content-Security-Policy header to include a frame-ancestors directive. Use frame-ancestors 'none' to block all framing, or frame-ancestors 'self' if you need to embed your own pages. This ensures consistent clickjacking protection across modern browsers and deprecates the need for X-Frame-Options.

Code examples

Problem: CSP header missing frame-ancestors

Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com;

Fix: CSP header with frame-ancestors 'none'

Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com; frame-ancestors 'none';

Fix: CSP header with frame-ancestors 'self'

Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com; frame-ancestors 'self';

FAQ

Does frame-ancestors replace X-Frame-Options?

Yes, when both are present, browsers prioritize frame-ancestors in CSP over X-Frame-Options.

What value should I use for frame-ancestors if I never want my site embedded?

Use frame-ancestors 'none' to block all embedding of your pages.

Can I use frame-ancestors with specific domains?

Yes, you can specify allowed domains, e.g., frame-ancestors 'self' https://trusted.com;.

Will adding frame-ancestors affect SEO or crawling?

No, unless your site relies on being embedded in iframes for legitimate reasons.

Found this issue on your site?

Run a scan to see if CSP Missing frame-ancestors Directive affects your pages.

Scan my website →