---
title: Frame Ancestors Sources
description: A space-separated list of sources to allow in the frame-ancestors directive in the Content Security Policy (CSP) header for agent responses. This directive specifies the sources that can embed the page in a frame, iframe, embed, or object.
component: web-agents
version: 2025.11
page_id: web-agents:properties-reference:com.forgerock.agents.csp.frame.ancestors.sources
canonical_url: https://docs.pingidentity.com/web-agents/2025.11/properties-reference/com.forgerock.agents.csp.frame.ancestors.sources.html
---

# Frame Ancestors Sources

A space-separated list of sources to allow in the `frame-ancestors` directive in the Content Security Policy (CSP) header for agent responses. This directive specifies the sources that can embed the page in a frame, iframe, embed, or object.

The sources are validated against the [CSP specification](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors#sources) for the `frame-ancestors` directive, and the agent won't start if the value is invalid.

Additionally these sources must comply with the following rules:

* The `none` value is not allowed.

* Only the `http:` and `https` schemes are allowed.

* Hostnames can start with a wildcard character `*` to allow subdomains.

* Port numbers can be a single wildcard or a valid TCP/IP port.

Example valid values:

`'self' https: https://*.example.com https://www.othersite.com:9000`

Example invalid values:

`'none' file: ftp://example.com .example. example.com:*1024`

If this property isn't set, the agent sets the `frame-ancestors` directive to `'self'`.

This property is only used when [Frame Ancestors None](com.forgerock.agents.csp.frame.ancestors.none.html) is `0`.

Default: Empty

|                    |                                                                                     |
| ------------------ | ----------------------------------------------------------------------------------- |
| Property name      | `com.forgerock.agents.csp.frame.ancestors.sources`   Introduced in Web Agent 2025.3 |
| Function           | Content Security Policy                                                             |
| Type               | String List                                                                         |
| Bootstrap property | Yes                                                                                 |
| Required property  | No                                                                                  |
| Restart required   | No                                                                                  |