Skip to content

2.4: Remove frame-ancestors * CSP directive (#4332) #4550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wchargin merged 4 commits into from
Jan 14, 2021
Merged

2.4: Remove frame-ancestors * CSP directive (#4332) #4550

wchargin merged 4 commits into from
Jan 14, 2021

Conversation

@wchargin
Copy link
Contributor

@wchargin wchargin commented Jan 14, 2021
edited
Loading

Backport of #4332 to 2.4. Cf. #4547.

This PR essentially reverses #2797.

Currently this doesn't work because the frame-ancestors * directive prevents VS Code from framing TensorBoard. This is because VS Code is an Electron application, and Electron appears to be unable to frame websites which set frame-ancestors * in its response headers: electron/electron#26369

If I'm reading the CSP specification correctly, omitting the frame-ancestors directive altogether is equivalent to setting frame-ancestors *, so to my knowledge this PR should not result in a behavior change for environments which correctly implement the CSP spec. From https://w3c.github.io/webappsec-csp/2/#directive-frame-ancestors:

The term allowed frame ancestors refers to the result of parsing the frame-ancestors directive’s value as a source list. If a frame-ancestors directive is not explicitly included in the policy, then allowed frame ancestors is "*".

Co-authored-by: Joyce Er joyceerhuiling@gmail.com

wchargin and others added 2 commits January 13, 2021 17:41
@wchargin
ci: backport new CI to 2.4 release branch
29c2100 
Summary:
Generated with `git restore -s origin/master .travis.yml .github/ ci/`,
plus the following manual changes:

  - removed the `build-data-server-pip` CI job, since 2.4 doesn’t have
    any Rust packages to build;
  - reinstated `flake8` for Python 3.5;
  - removed CI check for absence of `"@npm_angular_bazel//:index.bzl"`;
  - downgraded CI Bazel to 2.1.0 to match WORKSPACE file;
  - cherry-picked `test_pip_package.sh` changes for `--tf-version notf`.

Test Plan:
CI test run passed:
<https://github.com/tensorflow/tensorboard/runs/1699068256>

wchargin-branch: ci-backport-2.4
wchargin-source: a6833768fb4e5c516f426d5c32b4044063fcfefc
@joyceerhl @wchargin
Remove frame-ancestors * CSP directive (#4332)
877829c 
This PR essentially reverses #2797.

Currently this doesn't work because the `frame-ancestors *` directive prevents VS Code from framing TensorBoard. This is because VS Code is an Electron application, and Electron appears to be unable to frame websites which set `frame-ancestors *` in its response headers: electron/electron#26369

If I'm reading the CSP specification correctly, omitting the frame-ancestors directive altogether is equivalent to setting `frame-ancestors *`, so to my knowledge this PR should not result in a behavior change for environments which correctly implement the CSP spec. From https://w3c.github.io/webappsec-csp/2/#directive-frame-ancestors:

> The term allowed frame ancestors refers to the result of parsing the frame-ancestors directive’s value as a source list. If a frame-ancestors directive is not explicitly included in the policy, then allowed frame ancestors is "*".
@google-cla
Copy link

google-cla bot commented Jan 14, 2021

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

@google-cla google-cla bot added the cla: no label Jan 14, 2021
Base automatically changed from wchargin-ci-backport-2.4 to 2.4 January 14, 2021 02:05
@wchargin wchargin added cla: yes and removed cla: no labels Jan 14, 2021
@wchargin
Copy link
Contributor Author

wchargin commented Jan 14, 2021

CLAs are okay since this is just a backport of #4332, whose original
author has signed the CLA.

@google-cla

This comment has been minimized.

Sign in to view
@google-cla google-cla bot added cla: no and removed cla: yes labels Jan 14, 2021
@wchargin wchargin added cla: yes and removed cla: no labels Jan 14, 2021
@wchargin wchargin requested a review from stephanwlee January 14, 2021 02:13
@google-cla

This comment has been minimized.

Sign in to view
@google-cla google-cla bot added cla: no and removed cla: yes labels Jan 14, 2021
@wchargin wchargin added cla: yes and removed cla: no labels Jan 14, 2021
@wchargin wchargin merged commit 5acbae8 into 2.4 Jan 14, 2021
@wchargin wchargin deleted the wchargin-2.4-frame-ancestors branch January 14, 2021 03:16
@wchargin wchargin mentioned this pull request Jan 14, 2021
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stephanwlee stephanwlee stephanwlee approved these changes

Assignees

No one assigned

Labels

cla: yes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wchargin @stephanwlee @joyceerhl