diff --git a/tensorboard/backend/http_util.py b/tensorboard/backend/http_util.py
index cc32e08362..28838cd2a7 100644
--- a/tensorboard/backend/http_util.py
+++ b/tensorboard/backend/http_util.py
@@ -222,7 +222,6 @@ def Respond(
"default-src 'self'",
"font-src %s"
% _create_csp_string("'self'", *_CSP_FONT_DOMAINS_WHITELIST),
- "frame-ancestors *",
# Dynamic plugins are rendered inside an iframe.
"frame-src %s"
% _create_csp_string("'self'", *_CSP_FRAME_DOMAINS_WHITELIST),
diff --git a/tensorboard/backend/http_util_test.py b/tensorboard/backend/http_util_test.py
index 5423a96c5d..a1e2c1a88e 100644
--- a/tensorboard/backend/http_util_test.py
+++ b/tensorboard/backend/http_util_test.py
@@ -239,7 +239,7 @@ def testCsp(self):
q, "hello", "text/html", csp_scripts_sha256s=["abcdefghi"]
)
expected_csp = (
- "default-src 'self';font-src 'self' data:;frame-ancestors *;"
+ "default-src 'self';font-src 'self' data:;"
"frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
"connect-src 'self';script-src 'self' 'unsafe-eval' 'sha256-abcdefghi'"
@@ -253,7 +253,7 @@ def testCsp_noHash(self):
q, "hello", "text/html", csp_scripts_sha256s=None
)
expected_csp = (
- "default-src 'self';font-src 'self' data:;frame-ancestors *;"
+ "default-src 'self';font-src 'self' data:;"
"frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
"connect-src 'self';script-src 'unsafe-eval'"
@@ -268,7 +268,7 @@ def testCsp_noHash_noUnsafeEval(self):
q, "hello", "text/html", csp_scripts_sha256s=None
)
expected_csp = (
- "default-src 'self';font-src 'self' data:;frame-ancestors *;"
+ "default-src 'self';font-src 'self' data:;"
"frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
"connect-src 'self';script-src 'none'"
@@ -283,7 +283,7 @@ def testCsp_onlySelf(self):
q, "hello", "text/html", csp_scripts_sha256s=None
)
expected_csp = (
- "default-src 'self';font-src 'self' data:;frame-ancestors *;"
+ "default-src 'self';font-src 'self' data:;"
"frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
"connect-src 'self';script-src 'self'"
@@ -297,7 +297,7 @@ def testCsp_disableUnsafeEval(self):
q, "hello", "text/html", csp_scripts_sha256s=["abcdefghi"]
)
expected_csp = (
- "default-src 'self';font-src 'self' data:;frame-ancestors *;"
+ "default-src 'self';font-src 'self' data:;"
"frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
"connect-src 'self';script-src 'self' 'sha256-abcdefghi'"
@@ -324,7 +324,7 @@ def testCsp_globalDomainWhiteList(self):
q, "hello", "text/html", csp_scripts_sha256s=["abcd"]
)
expected_csp = (
- "default-src 'self';font-src 'self' data:;frame-ancestors *;"
+ "default-src 'self';font-src 'self' data:;"
"frame-src 'self' https://myframe.com;"
"img-src 'self' data: blob: https://example.com;"
"object-src 'none';style-src 'self' https://www.gstatic.com data: "
diff --git a/tensorboard/backend/security_validator.py b/tensorboard/backend/security_validator.py
index a7bc1cf5d2..34926d5821 100644
--- a/tensorboard/backend/security_validator.py
+++ b/tensorboard/backend/security_validator.py
@@ -34,8 +34,6 @@
_CSP_DEFAULT_SRC = "default-src"
# Whitelist of allowed CSP violations.
_CSP_IGNORE = {
- # Allow TensorBoard to be iframed.
- "frame-ancestors": ["*"],
# Polymer-based code uses unsafe-inline.
"style-src": ["'unsafe-inline'", "data:"],
# Used in canvas