Let's have an outer page that contains an <iframe> which contains another <iframe>.
The inner page has a Content-Security-Policy header with frame-ancestors allowing only the middle page.
The middle page has a Content-Security-Policy header with frame-ancestors allowing only the outer page.
Should this setup work or does the inner page have to have both frame-ancestors outer middle?
Or would frame-ancestors outer be enough for the inner page? This would of course not work for the middle page being the main window, but how about for the outer page being the main window?
<body>
Outer page
my URL is: https://outer
<iframe src="https://middle">
Middle page
my URL is: https://middle
my SCP frame-ancestors is: outer
<iframe src="https://inner">
Inner page
my URL is: https://inner
my SCP frame-ancestors is: middle
</iframe>
</iframe>
</body>
As the specification says in the first paragraph of https://www.w3.org/TR/CSP3/#frame-ancestors-navigation-response, it should be blocked if one or more of the ancestors violate the frame-ancestors directive. This also includes redirects. There has been different implementations in browsers, but expect it to be transitive in some. So you will need to set all ancestors of the resource in frame-ancestors.