Skip to content

csp: add frame-ancestors * #2797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stephanwlee merged 1 commit into from
Oct 18, 2019
Merged

csp: add frame-ancestors * #2797

stephanwlee merged 1 commit into from
Oct 18, 2019

Conversation

@stephanwlee
Copy link
Contributor

@stephanwlee stephanwlee commented Oct 18, 2019

frame-ancestors is more modern way of doing x-frame-options which
TensorBoard did not set before and defaulted to allow. We, here, want to
explicitly allow all hosts to iframe TensorBoard inside since we have a
usecase like Jupyter notebooks.

@stephanwlee
csp: add frame-ancestors *
c458359 
frame-ancestors is more modern way of doing x-frame-options which
TensorBoard did not set before and defaulted to allow. We, here, want to
explicitly allow all hosts to iframe TensorBoard inside since we have a
usecase like Jupyter notebooks.
@stephanwlee stephanwlee requested a review from nfelt October 18, 2019 20:26
@stephanwlee stephanwlee merged commit 26d212a into tensorflow:master Oct 18, 2019
@stephanwlee stephanwlee deleted the frame branch October 18, 2019 21:20
@joyceerhl joyceerhl mentioned this pull request Nov 3, 2020
Closed
@joyceerhl joyceerhl mentioned this pull request Nov 16, 2020
Merged
stephanwlee pushed a commit that referenced this pull request Nov 17, 2020
@joyceerhl
Remove frame-ancestors * CSP directive (#4332)
c58ea35 
This PR essentially reverses #2797.

Currently this doesn't work because the `frame-ancestors *` directive prevents VS Code from framing TensorBoard. This is because VS Code is an Electron application, and Electron appears to be unable to frame websites which set `frame-ancestors *` in its response headers: electron/electron#26369

If I'm reading the CSP specification correctly, omitting the frame-ancestors directive altogether is equivalent to setting `frame-ancestors *`, so to my knowledge this PR should not result in a behavior change for environments which correctly implement the CSP spec. From https://w3c.github.io/webappsec-csp/2/#directive-frame-ancestors:

> The term allowed frame ancestors refers to the result of parsing the frame-ancestors directive’s value as a source list. If a frame-ancestors directive is not explicitly included in the policy, then allowed frame ancestors is "*".
wchargin pushed a commit that referenced this pull request Jan 14, 2021
@joyceerhl @wchargin
Remove frame-ancestors * CSP directive (#4332)
877829c 
This PR essentially reverses #2797.

Currently this doesn't work because the `frame-ancestors *` directive prevents VS Code from framing TensorBoard. This is because VS Code is an Electron application, and Electron appears to be unable to frame websites which set `frame-ancestors *` in its response headers: electron/electron#26369

If I'm reading the CSP specification correctly, omitting the frame-ancestors directive altogether is equivalent to setting `frame-ancestors *`, so to my knowledge this PR should not result in a behavior change for environments which correctly implement the CSP spec. From https://w3c.github.io/webappsec-csp/2/#directive-frame-ancestors:

> The term allowed frame ancestors refers to the result of parsing the frame-ancestors directive’s value as a source list. If a frame-ancestors directive is not explicitly included in the policy, then allowed frame ancestors is "*".
@wchargin wchargin mentioned this pull request Jan 14, 2021
Merged
wchargin added a commit that referenced this pull request Jan 14, 2021
@wchargin @joyceerhl
2.4: Remove frame-ancestors * CSP directive (#4332) (#4550)
5acbae8 
Backport of #4332 to 2.4. Cf. #4547.

---

This PR essentially reverses #2797.

Currently this doesn't work because the `frame-ancestors *` directive prevents VS Code from framing TensorBoard. This is because VS Code is an Electron application, and Electron appears to be unable to frame websites which set `frame-ancestors *` in its response headers: electron/electron#26369

If I'm reading the CSP specification correctly, omitting the frame-ancestors directive altogether is equivalent to setting `frame-ancestors *`, so to my knowledge this PR should not result in a behavior change for environments which correctly implement the CSP spec. From https://w3c.github.io/webappsec-csp/2/#directive-frame-ancestors:

> The term allowed frame ancestors refers to the result of parsing the frame-ancestors directive’s value as a source list. If a frame-ancestors directive is not explicitly included in the policy, then allowed frame ancestors is "*".

Co-authored-by: Joyce Er <joyceerhuiling@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@nfelt nfelt nfelt approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla: yes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stephanwlee @nfelt @googlebot