CoreWebView2NavigationStartingEventArgs.AdditionalAllowedFrameAncestors Property
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Additional allowed frame ancestors set by the host app.
public string AdditionalAllowedFrameAncestors { get; set; }
member this.AdditionalAllowedFrameAncestors : string with get, set
Public Property AdditionalAllowedFrameAncestors As String
Property Value
Remarks
The app may set this property to allow a frame to be embedded by additional ancestors besides what is allowed by http header X-Frame-Options and Content-Security-Policy frame-ancestors directive.
If set, a frame ancestor is allowed if it is allowed by the additional allowed frame ancestors or original http header from the site. Whether an ancestor is allowed by the additional allowed frame ancestors is done the same way as if the site provided it as the source list of the Content-Security-Policy frame-ancestors directive. For example, if https://example.com
and https://www.example.com
are the origins of the top page and intermediate iframes that embed a nested site-embedding iframe, and you fully trust those origins, you should set this property to https://example.com https://www.example.com
.
This property gives the app the ability to use iframe to embed sites that otherwise could not be embedded in an iframe in trusted app pages.
This could potentially subject the embedded sites to Clickjacking attack from the code running in the embedding web page. Therefore, you should only set this property with origins of fully trusted embedding page and any intermediate iframes.
Whenever possible, you should use the list of specific origins of the top and intermediate frames instead of wildcard characters for this property. This API is to provide limited support for app scenarios that used to be supported by <webview>
element in other solutions like JavaScript UWP apps and Electron. You should limit the usage of this property to trusted pages, and specific navigation target url, by checking the Source, and Uri.
This property is ignored for top level document navigation.