frame-ancestors of Content-Security-Policy is not working in Chrome, Firefox and IE

Question

Let's say my main java web application is running on machine one; http://192.168.0.1:8080/mainapp

Other two applications are framing my main application.
Assume other two applications are running on other machine like
http://192.168.0.21/TrustedOne and http://192.168.0.31/TrustedTwo
These two application is framing like

<html>
<body>
  <iframe src="http://192.168.0.1:8080/mainapp" width="200" height="200">
  </iframe> 
</body>
</html>

I want to allow framing only for http://192.168.0.21/TrustedOne and http://192.168.0.31/TrustedTwo. So I put Content-Security-Policy header in filter class at my main java application.

public void doFilter(ServletRequest request, ServletResponse response,  
FilterChain chain) throws IOException, ServletException {  

    response.addHeader("Content-Security-Policy", "frame-ancestors http://192.168.0.21/TrustedOne http://192.168.0.31/TrustedTwo"); 
    chain.doFilter(request, response);
}

My expecting result is that these two framing applications should get access to main application inside the iframe.

But both of these framing applications cannot access http://192.168.0.1:8080/mainapp in all of the browser; Chrome, Firefox and IE.
All browsers blocked my main application http://192.168.0.1:8080/mainapp
Is there something is wrong my perception on frame-ancestors of Content-Security-Policy?

Answer 1

The frame-ancestors directive can only have a host or an origin, not a URL with a path (documentation).

Delete the path.