diff --git a/tensorboard/backend/http_util.py b/tensorboard/backend/http_util.py
index f3caf3a73aa..bc0322f942f 100644
--- a/tensorboard/backend/http_util.py
+++ b/tensorboard/backend/http_util.py
@@ -36,7 +36,7 @@
# @vaadin/vaadin-lumo-styles/font-icons(via vaadin-grid) uses data URI for
# loading font icons.
_CSP_FONT_DOMAINS_WHITELIST = ["data:"]
-_CSP_FRAME_DOMAINS_WHITELIST = []
+_CSP_FRAME_DOMAINS_WHITELIST = ["https://ui.perfetto.dev"]
_CSP_IMG_DOMAINS_WHITELIST = []
_CSP_SCRIPT_DOMAINS_WHITELIST = []
_CSP_CONNECT_DOMAINS_WHITELIST = []
diff --git a/tensorboard/backend/http_util_test.py b/tensorboard/backend/http_util_test.py
index 6c6eb87a570..172e90b327b 100644
--- a/tensorboard/backend/http_util_test.py
+++ b/tensorboard/backend/http_util_test.py
@@ -229,10 +229,14 @@ def testCsp(self):
q, "hello", "text/html", csp_scripts_sha256s=["abcdefghi"]
)
expected_csp = (
- "default-src 'self';font-src 'self' data:;"
- "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
+ "default-src 'self';"
+ "font-src 'self' data:;"
+ "frame-src 'self' https://ui.perfetto.dev;"
+ "img-src 'self' data: blob:;"
+ "object-src 'none';"
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
- "connect-src 'self';script-src 'self' 'unsafe-eval' 'sha256-abcdefghi'"
+ "connect-src 'self';"
+ "script-src 'self' 'unsafe-eval' 'sha256-abcdefghi'"
)
self.assertEqual(r.headers.get("Content-Security-Policy"), expected_csp)
@@ -243,10 +247,14 @@ def testCsp_noHash(self):
q, "hello", "text/html", csp_scripts_sha256s=None
)
expected_csp = (
- "default-src 'self';font-src 'self' data:;"
- "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
+ "default-src 'self';"
+ "font-src 'self' data:;"
+ "frame-src 'self' https://ui.perfetto.dev;"
+ "img-src 'self' data: blob:;"
+ "object-src 'none';"
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
- "connect-src 'self';script-src 'unsafe-eval'"
+ "connect-src 'self';"
+ "script-src 'unsafe-eval'"
)
self.assertEqual(r.headers.get("Content-Security-Policy"), expected_csp)
@@ -258,10 +266,14 @@ def testCsp_noHash_noUnsafeEval(self):
q, "hello", "text/html", csp_scripts_sha256s=None
)
expected_csp = (
- "default-src 'self';font-src 'self' data:;"
- "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
+ "default-src 'self';"
+ "font-src 'self' data:;"
+ "frame-src 'self' https://ui.perfetto.dev;"
+ "img-src 'self' data: blob:;"
+ "object-src 'none';"
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
- "connect-src 'self';script-src 'none'"
+ "connect-src 'self';"
+ "script-src 'none'"
)
self.assertEqual(r.headers.get("Content-Security-Policy"), expected_csp)
@@ -273,10 +285,14 @@ def testCsp_onlySelf(self):
q, "hello", "text/html", csp_scripts_sha256s=None
)
expected_csp = (
- "default-src 'self';font-src 'self' data:;"
- "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
+ "default-src 'self';"
+ "font-src 'self' data:;"
+ "frame-src 'self' https://ui.perfetto.dev;"
+ "img-src 'self' data: blob:;"
+ "object-src 'none';"
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
- "connect-src 'self';script-src 'self'"
+ "connect-src 'self';"
+ "script-src 'self'"
)
self.assertEqual(r.headers.get("Content-Security-Policy"), expected_csp)
@@ -287,10 +303,14 @@ def testCsp_disableUnsafeEval(self):
q, "hello", "text/html", csp_scripts_sha256s=["abcdefghi"]
)
expected_csp = (
- "default-src 'self';font-src 'self' data:;"
- "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
+ "default-src 'self';"
+ "font-src 'self' data:;"
+ "frame-src 'self' https://ui.perfetto.dev;"
+ "img-src 'self' data: blob:;"
+ "object-src 'none';"
"style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
- "connect-src 'self';script-src 'self' 'sha256-abcdefghi'"
+ "connect-src 'self';"
+ "script-src 'self' 'sha256-abcdefghi'"
)
self.assertEqual(r.headers.get("Content-Security-Policy"), expected_csp)