Remove frame-ancestors * CSP directive

tensorboard/backend/http_util.py

@@ -222,7 +222,6 @@ def Respond(
                 "default-src 'self'",
                 "font-src %s"
                 % _create_csp_string("'self'", *_CSP_FONT_DOMAINS_WHITELIST),
-                "frame-ancestors *",
                 # Dynamic plugins are rendered inside an iframe.
                 "frame-src %s"
                 % _create_csp_string("'self'", *_CSP_FRAME_DOMAINS_WHITELIST),

tensorboard/backend/http_util_test.py

@@ -239,7 +239,7 @@ def testCsp(self):
             q, "<b>hello</b>", "text/html", csp_scripts_sha256s=["abcdefghi"]
         )
         expected_csp = (
-            "default-src 'self';font-src 'self' data:;frame-ancestors *;"
+            "default-src 'self';font-src 'self' data:;"
             "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
             "style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
             "connect-src 'self';script-src 'self' 'unsafe-eval' 'sha256-abcdefghi'"
@@ -253,7 +253,7 @@ def testCsp_noHash(self):
             q, "<b>hello</b>", "text/html", csp_scripts_sha256s=None
         )
         expected_csp = (
-            "default-src 'self';font-src 'self' data:;frame-ancestors *;"
+            "default-src 'self';font-src 'self' data:;"
             "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
             "style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
             "connect-src 'self';script-src 'unsafe-eval'"
@@ -268,7 +268,7 @@ def testCsp_noHash_noUnsafeEval(self):
             q, "<b>hello</b>", "text/html", csp_scripts_sha256s=None
         )
         expected_csp = (
-            "default-src 'self';font-src 'self' data:;frame-ancestors *;"
+            "default-src 'self';font-src 'self' data:;"
             "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
             "style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
             "connect-src 'self';script-src 'none'"
@@ -283,7 +283,7 @@ def testCsp_onlySelf(self):
             q, "<b>hello</b>", "text/html", csp_scripts_sha256s=None
         )
         expected_csp = (
-            "default-src 'self';font-src 'self' data:;frame-ancestors *;"
+            "default-src 'self';font-src 'self' data:;"
             "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
             "style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
             "connect-src 'self';script-src 'self'"
@@ -297,7 +297,7 @@ def testCsp_disableUnsafeEval(self):
             q, "<b>hello</b>", "text/html", csp_scripts_sha256s=["abcdefghi"]
         )
         expected_csp = (
-            "default-src 'self';font-src 'self' data:;frame-ancestors *;"
+            "default-src 'self';font-src 'self' data:;"
             "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
             "style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
             "connect-src 'self';script-src 'self' 'sha256-abcdefghi'"
@@ -324,7 +324,7 @@ def testCsp_globalDomainWhiteList(self):
             q, "<b>hello</b>", "text/html", csp_scripts_sha256s=["abcd"]
         )
         expected_csp = (
-            "default-src 'self';font-src 'self' data:;frame-ancestors *;"
+            "default-src 'self';font-src 'self' data:;"
             "frame-src 'self' https://myframe.com;"
             "img-src 'self' data: blob: https://example.com;"
             "object-src 'none';style-src 'self' https://www.gstatic.com data: "

tensorboard/backend/security_validator.py

@@ -34,8 +34,6 @@
 _CSP_DEFAULT_SRC = "default-src"
 # Whitelist of allowed CSP violations.
 _CSP_IGNORE = {
-    # Allow TensorBoard to be iframed.
-    "frame-ancestors": ["*"],
     # Polymer-based code uses unsafe-inline.
     "style-src": ["'unsafe-inline'", "data:"],
     # Used in canvas