This test page demonstrates a security vulnerability where a Content Security Policy (CSP) is implemented
but lacks the frame-src directive, which is important for controlling which sources can be
loaded in iframes.
frame-src (or equivalent default-src)
directive to control which sources can be loaded in iframes, potentially allowing untrusted content to be embedded.
Test Case
<meta http-equiv="Content-Security-Policy" content="script-src 'self'; style-src 'self'; frame-ancestors 'self';">This CSP controls script and style sources and prevents the page from being framed, but doesn't restrict which sources can be loaded in iframes on the page itself.
Explanation
The frame-src directive in Content Security Policy controls which URLs can be loaded in frames, iframes, and other embedded content. Without this directive (or a default-src that would apply to frames), a page may be vulnerable to:
- Loading potentially malicious content from untrusted sources
- Unauthorized data access across origins
- UI redressing attacks through embedded content
- Loading content that may violate the intended security posture of the application
While frame-ancestors protects against clickjacking by controlling who can embed your page, frame-src controls what content your page can embed, addressing a different security concern.
How Pink Sock detects this issue:
Pink Sock analyzes CSP headers and meta tags for the presence of either a frame-src directive or a default-src directive that would apply to frame sources. When a CSP exists but lacks both of these controls while iframes are present on the page, it flags it as a medium-severity security issue.
How to fix:
Add the frame-src directive to your Content Security Policy:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self' https://trusted-source.com; frame-ancestors 'self'; script-src 'self'; style-src 'self';">For most applications, restricting frame sources to 'self' and specific trusted domains is appropriate. If you don't need iframes from external sources, a restrictive policy is best:
frame-src 'self';If you need to completely disallow iframes, you can use:
frame-src 'none';Additional Information
CSP Inheritance and Fallbacks
Understanding CSP directive inheritance is important:
- If
frame-srcis not specified, the browser falls back tochild-src - If
child-srcis not specified, the browser falls back todefault-src - If neither is specified, there are no restrictions on iframe sources
Due to this fallback behavior, having a default-src 'self'; would provide some protection, but explicit frame-src is preferred for clarity and precision.
Source List Syntax
The frame-src directive accepts a variety of values:
| Value | Description | Example |
|---|---|---|
| 'self' | Same origin as the page | frame-src 'self'; |
| 'none' | No sources allowed | frame-src 'none'; |
| domain.com | Specific domain | frame-src example.com; |
| https: | Any HTTPS URL | frame-src https:; |
| Multiple values | Multiple allowed sources | frame-src 'self' trusted.com; |
Testing CSP Effectiveness
To verify your CSP implementation:
- Use CSP validation tools like the one at CSP Evaluator
- Implement CSP reporting to collect violation data
- Test with deliberately non-compliant resources to confirm enforcement
- Monitor CSP violations in your browser's developer console