The option is to use Content Security Policy (CSP) and its frame-ancestors directive. This directive allows the application developer to disallow all frame use or specify where it is allowed, similar to X-Frame-Options.
Possible CSP frame-ancestor settings:
- Content-Security-Policy: frame-ancestors ‘none’
- Content-Security-Policy: frame-ancestors ‘self’
- Content-Security-Policy: frame-ancestors example.com