default-src, frame-ancestors, and frame-src are all part of the Content-Security-Policy response header.

frame-src

Restricts what domains and page can load in an iframe.

The HTTP Content-Security-Policy (CSP) frame-src directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.

For example: If the website at https://example.com has a response header of Content-Security-Policy: frame-src 'self', it can only load https://example.com inside iframes.

frame-ancestors

Restricts what domains and page can be loaded in from an iframe (similar to the X-Frame-Options header, but takes precedence over it).

The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.

For example: If the website at https://example.com has a response header of Content-Security-Policy: frame-ancestors 'self', it can only be loaded inside iframes from https://example.com.

default-src

Acts as the default value for any fetch directive that isn’t explicitly set (here is a list of all fetch directives)

The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSP fetch directives. For each of the following directives that are absent, the user agent will look for the default-src directive and will use this value for it.

For example: Content-Security-Policy: default-src 'self' will default to the value 'self' for all fetch directives. Other directives will be unaffected.

Note: since frame-ancestors is not a fetch directive, setting default-src won’t restrict it. It needs to be set separately.