How to control iframe with specific origins with Content Security Policy (CSP)

Programming, error messages and sample code > sample code
Assuming you have two websites: one is, and the other is You wish to embed as an iframe element on a page of However, you may encounter an error message stating, "Refused to display '' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN' or 'DENY'."
One way to address this is to remove the "X-Frame-Options" response header from the site, if possible.
Content-Security-Policy: frame-ancestors <source>;
Content-Security-Policy: frame-ancestors <space separated list of sources>;
Here is an example of setting the Content Security Policy (CSP) in the web.config file to allow embedding from specific domains:
<?xml version="1.0" encoding="UTF-8"?>
        <add name="Content-Security-Policy" value="frame-ancestors 'self'" />