CSP: Frame-src - HTTP - MDN Web Docs - Mozilla

Có thể bạn quan tâm

Skip to main content
Skip to search
Skip to select language

References
HTTP
Headers
Content-Security-Policy
CSP: frame-src

Article Actions

English (US)
- Remember language
- Deutsch
- Français
- 日本語

Syntax
Examples
Specifications
Browser compatibility
See also

HTTP
Guides
An overview of HTTP
A typical HTTP session
HTTP messages
MIME types (IANA media types)
Compression in HTTP
HTTP caching
HTTP authentication
Using HTTP cookies
Redirections in HTTP
HTTP conditional requests
HTTP range requests
Content negotiation
Connection management in HTTP/1.x
Evolution of HTTP
Protocol upgrade mechanism
Proxy servers and tunneling
HTTP Client hints
Security and privacy
1. Practical security implementation guides
2. HTTP Observatory
3. Permissions Policy Experimental
4. Content Security Policy (CSP)
5. Cross-Origin Resource Sharing (CORS)
6. Cross-Origin Resource Policy (CORP)
7. Headers
References
HTTP headers
1. Accept
2. Accept-CH
3. Accept-Encoding
4. Accept-Language
5. Accept-Patch
6. Accept-Post
7. Accept-Ranges
8. Access-Control-Allow-Credentials
9. Access-Control-Allow-Headers
10. Access-Control-Allow-Methods
11. Access-Control-Allow-Origin
12. Access-Control-Expose-Headers
13. Access-Control-Max-Age
14. Access-Control-Request-Headers
15. Access-Control-Request-Method
16. Age
17. Allow
18. Alt-Svc
19. Alt-Used
20. Attribution-Reporting-Eligible Experimental
21. Attribution-Reporting-Register-Source Experimental
22. Attribution-Reporting-Register-Trigger Experimental
23. Authorization
24. Cache-Control
25. Clear-Site-Data
26. Connection
27. Content-Digest
28. Content-Disposition
29. Content-DPR Non-standard Deprecated
30. Content-Encoding
31. Content-Language
32. Content-Length
33. Content-Location
34. Content-Range
35. Content-Security-Policy
36. Content-Security-Policy-Report-Only
37. Content-Type
38. Cookie
39. Critical-CH Experimental
40. Cross-Origin-Embedder-Policy
41. Cross-Origin-Opener-Policy
42. Cross-Origin-Resource-Policy
43. Date
44. Device-Memory
45. DNT Non-standard Deprecated
46. Downlink Experimental
47. DPR Non-standard Deprecated
48. Early-Data Experimental
49. ECT Experimental
50. ETag
51. Expect
52. Expect-CT Deprecated
53. Expires
54. Forwarded
55. From
56. Host
57. If-Match
58. If-Modified-Since
59. If-None-Match
60. If-Range
61. If-Unmodified-Since
62. Keep-Alive
63. Last-Modified
64. Link
65. Location
66. Max-Forwards
67. NEL Experimental
68. No-Vary-Search Experimental
69. Observe-Browsing-Topics Experimental Non-standard
70. Origin
71. Origin-Agent-Cluster Experimental
72. Permissions-Policy Experimental
73. Pragma Deprecated
74. Priority
75. Proxy-Authenticate
76. Proxy-Authorization
77. Range
78. Referer
79. Referrer-Policy
80. Refresh
81. Report-To Non-standard Deprecated
82. Reporting-Endpoints Experimental
83. Repr-Digest
84. Retry-After
85. RTT Experimental
86. Save-Data Experimental
87. Sec-Browsing-Topics Experimental Non-standard
88. Sec-CH-Prefers-Color-Scheme Experimental
89. Sec-CH-Prefers-Reduced-Motion Experimental
90. Sec-CH-Prefers-Reduced-Transparency Experimental
91. Sec-CH-UA Experimental
92. Sec-CH-UA-Arch Experimental
93. Sec-CH-UA-Bitness Experimental
94. Sec-CH-UA-Full-Version Deprecated
95. Sec-CH-UA-Full-Version-List Experimental
96. Sec-CH-UA-Mobile Experimental
97. Sec-CH-UA-Model Experimental
98. Sec-CH-UA-Platform Experimental
99. Sec-CH-UA-Platform-Version Experimental
100. Sec-Fetch-Dest
101. Sec-Fetch-Mode
102. Sec-Fetch-Site
103. Sec-Fetch-User
104. Sec-GPC Experimental
105. Sec-Purpose
106. Sec-WebSocket-Accept
107. Sec-WebSocket-Extensions
108. Sec-WebSocket-Key
109. Sec-WebSocket-Protocol
110. Sec-WebSocket-Version
111. Server
112. Server-Timing
113. Service-Worker
114. Service-Worker-Allowed
115. Service-Worker-Navigation-Preload
116. Set-Cookie
117. Set-Login Experimental
118. SourceMap
119. Speculation-Rules Experimental
120. Strict-Transport-Security
121. Supports-Loading-Mode Experimental
122. TE
123. Timing-Allow-Origin
124. Tk Non-standard Deprecated
125. Trailer
126. Transfer-Encoding
127. Upgrade
128. Upgrade-Insecure-Requests
129. User-Agent
130. Vary
131. Via
132. Viewport-Width Non-standard Deprecated
133. Want-Content-Digest
134. Want-Repr-Digest
135. Warning Deprecated
136. Width Non-standard Deprecated
137. WWW-Authenticate
138. X-Content-Type-Options
139. X-DNS-Prefetch-Control Non-standard
140. X-Forwarded-For Non-standard
141. X-Forwarded-Host Non-standard
142. X-Forwarded-Proto Non-standard
143. X-Frame-Options Deprecated
144. X-Permitted-Cross-Domain-Policies Non-standard
145. X-Powered-By Non-standard
146. X-Robots-Tag Non-standard
147. X-XSS-Protection Non-standard Deprecated
HTTP request methods
1. CONNECT
2. DELETE
3. GET
4. HEAD
5. OPTIONS
6. PATCH
7. POST
8. PUT
9. TRACE
HTTP response status codes
1. 100 Continue
2. 101 Switching Protocols
3. 102 Processing
4. 103 Early Hints
5. 200 OK
6. 201 Created
7. 202 Accepted
8. 203 Non-Authoritative Information
9. 204 No Content
10. 205 Reset Content
11. 206 Partial Content
12. 207 Multi-Status
13. 208 Already Reported
14. 226 IM Used
15. 300 Multiple Choices
16. 301 Moved Permanently
17. 302 Found
18. 303 See Other
19. 304 Not Modified
20. 307 Temporary Redirect
21. 308 Permanent Redirect
22. 400 Bad Request
23. 401 Unauthorized
24. 402 Payment Required
25. 403 Forbidden
26. 404 Not Found
27. 405 Method Not Allowed
28. 406 Not Acceptable
29. 407 Proxy Authentication Required
30. 408 Request Timeout
31. 409 Conflict
32. 410 Gone
33. 411 Length Required
34. 412 Precondition Failed
35. 413 Content Too Large
36. 414 URI Too Long
37. 415 Unsupported Media Type
38. 416 Range Not Satisfiable
39. 417 Expectation Failed
40. 418 I'm a teapot
41. 421 Misdirected Request
42. 422 Unprocessable Content
43. 423 Locked
44. 424 Failed Dependency
45. 425 Too Early
46. 426 Upgrade Required
47. 428 Precondition Required
48. 429 Too Many Requests
49. 431 Request Header Fields Too Large
50. 451 Unavailable For Legal Reasons
51. 500 Internal Server Error
52. 501 Not Implemented
53. 502 Bad Gateway
54. 503 Service Unavailable
55. 504 Gateway Timeout
56. 505 HTTP Version Not Supported
57. 506 Variant Also Negotiates
58. 507 Insufficient Storage
59. 508 Loop Detected
60. 510 Not Extended
61. 511 Network Authentication Required
CSP directives
1. CSP: base-uri
2. CSP: block-all-mixed-content Deprecated
3. CSP: child-src
4. CSP: connect-src
5. CSP: default-src
6. CSP: fenced-frame-src Experimental
7. CSP: font-src
8. CSP: form-action
9. CSP: frame-ancestors
10. CSP: frame-src
11. CSP: img-src
12. CSP: manifest-src
13. CSP: media-src
14. CSP: object-src
15. CSP: prefetch-src Non-standard Deprecated
16. CSP: report-to
17. CSP: report-uri Deprecated
18. CSP: require-trusted-types-for Experimental
19. CSP: sandbox
20. CSP: script-src
21. CSP: script-src-attr
22. CSP: script-src-elem
23. CSP: style-src
24. CSP: style-src-attr
25. CSP: style-src-elem
26. CSP: trusted-types Experimental
27. CSP: upgrade-insecure-requests
28. CSP: worker-src
CORS errors
1. Reason: CORS disabled
2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
3. Reason: CORS header 'Access-Control-Allow-Origin' missing
4. Reason: CORS header 'Origin' cannot be added
5. Reason: CORS preflight channel did not succeed
6. Reason: CORS request did not succeed
7. Reason: CORS request external redirect not allowed
8. Reason: CORS request not HTTP
9. Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'
10. Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'
11. Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'
12. Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'
13. Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'
14. Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel
15. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed
Permissions-Policy directives
1. Permissions-Policy: accelerometer Experimental
2. Permissions-Policy: ambient-light-sensor Experimental
3. Permissions-Policy: attribution-reporting Experimental
4. Permissions-Policy: autoplay Experimental
5. Permissions-Policy: bluetooth Experimental
6. Permissions-Policy: browsing-topics Experimental Non-standard
7. Permissions-Policy: camera Experimental
8. Permissions-Policy: compute-pressure Experimental
9. Permissions-Policy: cross-origin-isolated Experimental
10. Permissions-Policy: display-capture Experimental
11. Permissions-Policy: document-domain Experimental
12. Permissions-Policy: encrypted-media Experimental
13. Permissions-Policy: fullscreen Experimental
14. Permissions-Policy: gamepad Experimental
15. Permissions-Policy: geolocation Experimental
16. Permissions-Policy: gyroscope Experimental
17. Permissions-Policy: hid Experimental
18. Permissions-Policy: identity-credentials-get Experimental
19. Permissions-Policy: idle-detection Experimental
20. Permissions-Policy: local-fonts Experimental
21. Permissions-Policy: magnetometer Experimental
22. Permissions-Policy: microphone Experimental
23. Permissions-Policy: midi Experimental
24. Permissions-Policy: otp-credentials Experimental
25. Permissions-Policy: payment Experimental
26. Permissions-Policy: picture-in-picture Experimental
27. Permissions-Policy: publickey-credentials-create Experimental
28. Permissions-Policy: publickey-credentials-get Experimental
29. Permissions-Policy: screen-wake-lock Experimental
30. Permissions-Policy: serial Experimental
31. Permissions-Policy: speaker-selection Experimental
32. Permissions-Policy: storage-access Experimental
33. Permissions-Policy: usb Experimental
34. Permissions-Policy: web-share Experimental
35. Permissions-Policy: window-management Experimental
36. Permissions-Policy: xr-spatial-tracking Experimental
HTTP resources and specifications

Syntax
Examples
Specifications
Browser compatibility
See also

The HTTP Content-Security-Policy (CSP) frame-src directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.

Note: frame-src allows you to specify where iframes in a page may be loaded from. This differs from frame-ancestors, which allows you to specify what parent source may embed a page.

CSP version	1
Directive type	Fetch directive
Fallback	If this directive is absent, the user agent will look for the child-src directive (which falls back to the default-src directive).

Syntax

httpContent-Security-Policy: frame-src 'none'; Content-Security-Policy: frame-src <source-expression-list>;

This directive may have one of the following values:

'none'

No resources of this type may be loaded. The single quotes are mandatory.

<source-expression-list>

A space-separated list of source expression values. Resources of this type may be loaded if they match any of the given source expressions. For this directive, the following source expression values are applicable:

<host-source>
<scheme-source>
'self'

Examples

Violation cases

Given this CSP header:

httpContent-Security-Policy: frame-src https://example.com/

The following <iframe> is blocked and won't load:

html<iframe src="https://not-example.com/"></iframe>

Specifications

Specification
Content Security Policy Level 3 # directive-frame-src

Browser compatibility

BCD tables only load in the browser

Help improve MDN

Was this page helpful to you?YesNoLearn how to contribute.

This page was last modified on Nov 19, 2024 by MDN contributors.

View this page on GitHub • Report a problem with this content

Từ khóa » Thẻ Frame Src

CSP: Frame-src - HTTP - MDN Web Docs - Mozilla

Syntax

Examples

Violation cases

Specifications

Browser compatibility

See also

Help improve MDN

Cách Sử Dụng Thẻ Frame Trong HTML - Web Cơ Bản

Thẻ - Trắc Nghiệm Online

Thẻ | Thẻ HTML

Thẻ | 7scv

Frame Trong HTML - Học HTML Online - VietTuts

Hỏi: Thẻ | Thầy Hùng

Thẻ Frame Trong HTML - ge

Thẻ

Sử Dụng Khung Frame

Thiết Kế Khung (Frame) Trong HTML

HTML Frame Tag - W3Schools

Frames - HTML

Frame Là Gì? - Từ điển CNTT - Dictionary4it

Thẻ NOFRAMES Nhúng Frame - Thẻ IFRAME - Tài Liệu Text - 123doc

Liên Hệ