Skip to content

Commit c58ea35

Browse files
joyceerhljoyceerhl
authored
Remove frame-ancestors * CSP directive (#4332)
This PR essentially reverses #2797. Currently this doesn't work because the `frame-ancestors *` directive prevents VS Code from framing TensorBoard. This is because VS Code is an Electron application, and Electron appears to be unable to frame websites which set `frame-ancestors *` in its response headers: electron/electron#26369 If I'm reading the CSP specification correctly, omitting the frame-ancestors directive altogether is equivalent to setting `frame-ancestors *`, so to my knowledge this PR should not result in a behavior change for environments which correctly implement the CSP spec. From https://w3c.github.io/webappsec-csp/2/#directive-frame-ancestors: > The term allowed frame ancestors refers to the result of parsing the frame-ancestors directive’s value as a source list. If a frame-ancestors directive is not explicitly included in the policy, then allowed frame ancestors is "*".
1 parent e7a1cea commit c58ea35

File tree

3 files changed

+6
-9
lines changed

3 files changed

+6
-9
lines changed

tensorboard/backend/http_util.py

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -222,7 +222,6 @@ def Respond(
222222
"default-src 'self'",
223223
"font-src %s"
224224
% _create_csp_string("'self'", *_CSP_FONT_DOMAINS_WHITELIST),
225-
"frame-ancestors *",
226225
# Dynamic plugins are rendered inside an iframe.
227226
"frame-src %s"
228227
% _create_csp_string("'self'", *_CSP_FRAME_DOMAINS_WHITELIST),

tensorboard/backend/http_util_test.py

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -239,7 +239,7 @@ def testCsp(self):
239239
q, "<b>hello</b>", "text/html", csp_scripts_sha256s=["abcdefghi"]
240240
)
241241
expected_csp = (
242-
"default-src 'self';font-src 'self' data:;frame-ancestors *;"
242+
"default-src 'self';font-src 'self' data:;"
243243
"frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
244244
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
245245
"connect-src 'self';script-src 'self' 'unsafe-eval' 'sha256-abcdefghi'"
@@ -253,7 +253,7 @@ def testCsp_noHash(self):
253253
q, "<b>hello</b>", "text/html", csp_scripts_sha256s=None
254254
)
255255
expected_csp = (
256-
"default-src 'self';font-src 'self' data:;frame-ancestors *;"
256+
"default-src 'self';font-src 'self' data:;"
257257
"frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
258258
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
259259
"connect-src 'self';script-src 'unsafe-eval'"
@@ -268,7 +268,7 @@ def testCsp_noHash_noUnsafeEval(self):
268268
q, "<b>hello</b>", "text/html", csp_scripts_sha256s=None
269269
)
270270
expected_csp = (
271-
"default-src 'self';font-src 'self' data:;frame-ancestors *;"
271+
"default-src 'self';font-src 'self' data:;"
272272
"frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
273273
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
274274
"connect-src 'self';script-src 'none'"
@@ -283,7 +283,7 @@ def testCsp_onlySelf(self):
283283
q, "<b>hello</b>", "text/html", csp_scripts_sha256s=None
284284
)
285285
expected_csp = (
286-
"default-src 'self';font-src 'self' data:;frame-ancestors *;"
286+
"default-src 'self';font-src 'self' data:;"
287287
"frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
288288
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
289289
"connect-src 'self';script-src 'self'"
@@ -297,7 +297,7 @@ def testCsp_disableUnsafeEval(self):
297297
q, "<b>hello</b>", "text/html", csp_scripts_sha256s=["abcdefghi"]
298298
)
299299
expected_csp = (
300-
"default-src 'self';font-src 'self' data:;frame-ancestors *;"
300+
"default-src 'self';font-src 'self' data:;"
301301
"frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
302302
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
303303
"connect-src 'self';script-src 'self' 'sha256-abcdefghi'"
@@ -324,7 +324,7 @@ def testCsp_globalDomainWhiteList(self):
324324
q, "<b>hello</b>", "text/html", csp_scripts_sha256s=["abcd"]
325325
)
326326
expected_csp = (
327-
"default-src 'self';font-src 'self' data:;frame-ancestors *;"
327+
"default-src 'self';font-src 'self' data:;"
328328
"frame-src 'self' https://myframe.com;"
329329
"img-src 'self' data: blob: https://example.com;"
330330
"object-src 'none';style-src 'self' https://www.gstatic.com data: "

tensorboard/backend/security_validator.py

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -34,8 +34,6 @@
3434
_CSP_DEFAULT_SRC = "default-src"
3535
# Whitelist of allowed CSP violations.
3636
_CSP_IGNORE = {
37-
# Allow TensorBoard to be iframed.
38-
"frame-ancestors": ["*"],
3937
# Polymer-based code uses unsafe-inline.
4038
"style-src": ["'unsafe-inline'", "data:"],
4139
# Used in canvas

0 commit comments

Comments
 (0)