The frame-src directive is deprecated in CSP 2 and is replaced by child-src which is correctly supported by csp-builder. Unfortunately, this will result in WebKit based browsers which only support CSP 1 falling back to default-src for nested browsing contexts, which could cause unexpected behaviour.

https://github.com/paragonie/csp-builder/blob/master/src/CSPBuilder.php#L85

In order to support WebKit you should allow a user to specify the frame-src directive. If the user does not specify a frame-src directive, the value of the child-src directive could be duplicated in the frame-src directive. There isn't really a downside apart from some header bloat and it results in support for WebKit based browsers like Safari and Edge.

@troyhunt experienced the issue and I assisted in debugging it: http://www.troyhunt.com/2015/10/how-to-break-your-site-with-content.html

There isn't really a downside apart from some header bloat

I could easily make that configuration option (default to bloat-but-compatible, but let people elect to turn that off).

This has been implemented and will be included in 1.1.0 once I'm confident that it has been adequately fixed. Once again, thank you for letting me know about these quirks! 👍