Talk:Clickjacking Defense Cheat Sheet
In the limitations, nested frames paragraph sounds confusing. Is there any mistake there?
"Nested Frames don't work with SAMEORIGIN and ALLOW-FROM In the following situation, the http://framed.invalid/child frame does not load because ALLOW-FROM applies to the top-level browsing context, not that of the immediate parent. The solution is to use ALLOW-FROM in both the parent and child frames (but this prevents the child frame loading if the //framed.invalid/parent page is loaded as the top level document)."
Grandchild frame does not use ALLOW-FROM. It uses SAMEORIGIN.
The relation between frame-src and frame-ancestors is sometimes confusing
The relation between frame-src and frame-ancestors is sometimes confusing. Should the difference be mentioned, or is mentioning frame-src in the context of Clickjacking adding to the confusion?
I'd like to add a piece where it is stated that the two directives are not the same and where it is stated that the frame-src is about nested iframes in the page in question. Therefor it is not clickjacking related. --Maarten van Hulsentop