The app may set this property to allow a frame to be embedded by additional ancestors besides what is allowed by
http header X-Frame-Options
and Content-Security-Policy frame-ancestors directive.
If set, a frame ancestor is allowed if it is allowed by the additional allowed frame
ancestors or original http header from the site.
Whether an ancestor is allowed by the additional allowed frame ancestors is done the same way as if the site provided
it as the source list of the Content-Security-Policy frame-ancestors directive.
For example, if https://example.com and https://www.example.com are the origins of the top
page and intermediate iframes that embed a nested site-embedding iframe, and you fully trust
those origins, you should set this property to https://example.com https://www.example.com.
This property gives the app the ability to use iframe to embed sites that otherwise
could not be embedded in an iframe in trusted app pages.
This could potentially subject the embedded sites to Clickjacking
attack from the code running in the embedding web page. Therefore, you should only
set this property with origins of fully trusted embedding page and any intermediate iframes.
Whenever possible, you should use the list of specific origins of the top and intermediate
frames instead of wildcard characters for this property.
This API is to provide limited support for app scenarios that used to be supported by
<webview> element in other solutions like JavaScript UWP apps and Electron.
You should limit the usage of this property to trusted pages, and specific navigation
target url, by checking the Source of the WebView2, and Uri of the event args.
This property is ignored for top level document navigation.
The app may set this property to allow a frame to be embedded by additional ancestors besides what is allowed by http header X-Frame-Options and Content-Security-Policy frame-ancestors directive. If set, a frame ancestor is allowed if it is allowed by the additional allowed frame ancestors or original http header from the site. Whether an ancestor is allowed by the additional allowed frame ancestors is done the same way as if the site provided it as the source list of the Content-Security-Policy frame-ancestors directive. For example, if https://example.com and https://www.example.com are the origins of the top page and intermediate iframes that embed a nested site-embedding iframe, and you fully trust those origins, you should set this property to https://example.com https://www.example.com. This property gives the app the ability to use iframe to embed sites that otherwise could not be embedded in an iframe in trusted app pages. This could potentially subject the embedded sites to Clickjacking attack from the code running in the embedding web page. Therefore, you should only set this property with origins of fully trusted embedding page and any intermediate iframes. Whenever possible, you should use the list of specific origins of the top and intermediate frames instead of wildcard characters for this property. This API is to provide limited support for app scenarios that used to be supported by <webview> element in other solutions like JavaScript UWP apps and Electron. You should limit the usage of this property to trusted pages, and specific navigation target url, by checking the Source of the WebView2, and Uri of the event args.
This property is ignored for top level document navigation.
\snippet ScriptComponent.cpp AdditionalAllowedFrameAncestors_1
\snippet ScriptComponent.cpp AdditionalAllowedFrameAncestors_2