Remove frame-ancestors * CSP directive

[joyceerhl]

Motivation for features / changes

Hi! I'm a dev working on adding TensorBoard support to the Python and Jupyter extensions for VS Code. We'd like to enable users to view TensorBoard inline in our Jupyter notebook experience within VS Code.

Currently this doesn't work because the frame-ancestors * directive prevents VS Code from framing TensorBoard. This is because VS Code is an Electron application, and Electron appears to be unable to frame websites which set frame-ancestors * in its response headers: electron/electron#26369

Technical description of changes

This PR essentially reverses #2797.

If I'm reading the CSP specification correctly, omitting the frame-ancestors directive altogether is equivalent to setting frame-ancestors *, so to my knowledge this PR should not result in a behavior change for environments which correctly implement the CSP spec. From https://w3c.github.io/webappsec-csp/2/#directive-frame-ancestors:

The term allowed frame ancestors refers to the result of parsing the frame-ancestors directive’s value as a source list. If a frame-ancestors directive is not explicitly included in the policy, then allowed frame ancestors is "*".

Screenshots of UI changes

With this PR, users can now display TensorBoard inline in a Jupyter notebook in VS Code:

Detailed steps to verify changes work correctly (as executed by you)

1. Remove line 223 which sets frame-ancestors * from backend/http_util.py
2. Install tensorboard package locally
3. Install Visual Studio Code from https://code.visualstudio.com/download and add it to your PATH during the installation stage
4. Install the Python extension for VS Code by running code --install-extension ms-python.python in your shell
5. Open VS Code
6. Hit 'Cmd/Ctrl + Shift + P' to bring up the command palette. Type 'Jupyter: Create New Blank Jupyter Notebook' and press enter. This will create a blank Jupyter notebook
7. In a cell, run

from IPython.display import IFrame
IFrame('http://localhost:6060', width=700, height=350)

8. tensorboard should now be rendered inline in the cell output

Thank you and please let me know if you have questions about this proposed change!

[google-cla]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[joyceerhl]

@googlebot I signed it!

[stephanwlee]

I will try to cherry pick this change to make sure it does not negatively impact Colab and other services.

[stephanwlee]

Manually checked internal version and Colab and noticed no regression.

LGTM!

[wchargin]

Weird. Thanks for filing the upstream issue!

[wchargin]

…and congrats on the launch! :-)