...
Control what external domains iframes can communicate to on your your website.
Risk - internally developers may introduce iframe code to subvert your website or collect sensitive data. Externally, if your application is open ton an injection attack, a malicious iframe may be placed on your website.
Possible Impact - iframe callouts to external domains not added to the white list will not workThe success of this policy is dependant have a proper inventory of external domains used by iframes.
Considerations - If the website is an application, you may want to use code to set headers instead of using the web server.
...