How to control iframe with specific origins with Content Security Policy (CSP)

Programming, error messages and sample code > sample code
Assuming you have two websites: one is www.domainA.com, and the other is www.domainB.com. You wish to embed www.domainB.com as an iframe element on a page of www.domainA.com. However, you may encounter an error message stating, "Refused to display 'https://www.domainB.com/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN' or 'DENY'."
 
One way to address this is to remove the "X-Frame-Options" response header from the site www.domainB.com, if possible.
 
 
Syntax
Content-Security-Policy: frame-ancestors <source>;
Content-Security-Policy: frame-ancestors <space separated list of sources>;
 
Here is an example of setting the Content Security Policy (CSP) in the web.config file to allow embedding from specific domains:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Content-Security-Policy" value="frame-ancestors 'self' https://www.domainA.com/" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>