Currently, OWASP update the Header issue

To protect against Cross-Site Scripting, set the 'default-src' policy, or 'script-src' AND 'object-src' with proper values. Insecure values such as '*', 'data:', 'unsafe-inline', or 'unsafe-eval' should be avoided.

Protect against Cross-Frame Scripting or clickjacking, set the 'frame-ancestors' policy with proper values. Insecure values such as '*' or 'data:' should be avoided.

base-uri controls the protected resource’s ability to specify the document base URL.

child-src deprecates and replaces frame-src, controlling the protected resource’s ability to embed frame

Form-action controls the protected resource’s ability to submit forms

Frame ansector controls the protected resource’s ability be embedded in other documents.

A protected resource’s ability to load Workers is now controlled via child-src rather than script-src

Content-Security-Policy: frame-ancestors 'self';

To prevent all framing of your content use:

Content-Security-Policy: frame-ancestors 'none';

To allow for your site only, use:

Content-Security-Policy: frame-ancestors 'self';

<add name="Content-Security-Policy" value="frame-ancestors 'self' child-src 'self' *URL you website" />