From 0b8dd01049b6f610e4c159500f65c0ce1e7997ed Mon Sep 17 00:00:00 2001
From: Badr Badawi <bbadawi@google.com>
Date: Thu, 15 Jan 2026 13:30:11 -0800
Subject: [PATCH 1/2] Make Megascale Perfetto tool available in open-source
 xprof

---
 tensorboard/backend/http_util.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tensorboard/backend/http_util.py b/tensorboard/backend/http_util.py
index f3caf3a73aa..bc0322f942f 100644
--- a/tensorboard/backend/http_util.py
+++ b/tensorboard/backend/http_util.py
@@ -36,7 +36,7 @@
 # @vaadin/vaadin-lumo-styles/font-icons(via vaadin-grid) uses data URI for
 # loading font icons.
 _CSP_FONT_DOMAINS_WHITELIST = ["data:"]
-_CSP_FRAME_DOMAINS_WHITELIST = []
+_CSP_FRAME_DOMAINS_WHITELIST = ["https://ui.perfetto.dev"]
 _CSP_IMG_DOMAINS_WHITELIST = []
 _CSP_SCRIPT_DOMAINS_WHITELIST = []
 _CSP_CONNECT_DOMAINS_WHITELIST = []

From 4107841f8da7c77b1f76d5a5365a690f57549f9d Mon Sep 17 00:00:00 2001
From: Badr Badawi <bbadawi@google.com>
Date: Thu, 15 Jan 2026 17:05:54 -0800
Subject: [PATCH 2/2] Fix http_util_test by including perfetto url in expected
 CSP

---
 tensorboard/backend/http_util_test.py | 50 +++++++++++++++++++--------
 1 file changed, 35 insertions(+), 15 deletions(-)

diff --git a/tensorboard/backend/http_util_test.py b/tensorboard/backend/http_util_test.py
index 6c6eb87a570..172e90b327b 100644
--- a/tensorboard/backend/http_util_test.py
+++ b/tensorboard/backend/http_util_test.py
@@ -229,10 +229,14 @@ def testCsp(self):
             q, "<b>hello</b>", "text/html", csp_scripts_sha256s=["abcdefghi"]
         )
         expected_csp = (
-            "default-src 'self';font-src 'self' data:;"
-            "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
+            "default-src 'self';"
+            "font-src 'self' data:;"
+            "frame-src 'self' https://ui.perfetto.dev;"
+            "img-src 'self' data: blob:;"
+            "object-src 'none';"
             "style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
-            "connect-src 'self';script-src 'self' 'unsafe-eval' 'sha256-abcdefghi'"
+            "connect-src 'self';"
+            "script-src 'self' 'unsafe-eval' 'sha256-abcdefghi'"
         )
         self.assertEqual(r.headers.get("Content-Security-Policy"), expected_csp)
 
@@ -243,10 +247,14 @@ def testCsp_noHash(self):
             q, "<b>hello</b>", "text/html", csp_scripts_sha256s=None
         )
         expected_csp = (
-            "default-src 'self';font-src 'self' data:;"
-            "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
+            "default-src 'self';"
+            "font-src 'self' data:;"
+            "frame-src 'self' https://ui.perfetto.dev;"
+            "img-src 'self' data: blob:;"
+            "object-src 'none';"
             "style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
-            "connect-src 'self';script-src 'unsafe-eval'"
+            "connect-src 'self';"
+            "script-src 'unsafe-eval'"
         )
         self.assertEqual(r.headers.get("Content-Security-Policy"), expected_csp)
 
@@ -258,10 +266,14 @@ def testCsp_noHash_noUnsafeEval(self):
             q, "<b>hello</b>", "text/html", csp_scripts_sha256s=None
         )
         expected_csp = (
-            "default-src 'self';font-src 'self' data:;"
-            "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
+            "default-src 'self';"
+            "font-src 'self' data:;"
+            "frame-src 'self' https://ui.perfetto.dev;"
+            "img-src 'self' data: blob:;"
+            "object-src 'none';"
             "style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
-            "connect-src 'self';script-src 'none'"
+            "connect-src 'self';"
+            "script-src 'none'"
         )
         self.assertEqual(r.headers.get("Content-Security-Policy"), expected_csp)
 
@@ -273,10 +285,14 @@ def testCsp_onlySelf(self):
             q, "<b>hello</b>", "text/html", csp_scripts_sha256s=None
         )
         expected_csp = (
-            "default-src 'self';font-src 'self' data:;"
-            "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
+            "default-src 'self';"
+            "font-src 'self' data:;"
+            "frame-src 'self' https://ui.perfetto.dev;"
+            "img-src 'self' data: blob:;"
+            "object-src 'none';"
             "style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
-            "connect-src 'self';script-src 'self'"
+            "connect-src 'self';"
+            "script-src 'self'"
         )
         self.assertEqual(r.headers.get("Content-Security-Policy"), expected_csp)
 
@@ -287,10 +303,14 @@ def testCsp_disableUnsafeEval(self):
             q, "<b>hello</b>", "text/html", csp_scripts_sha256s=["abcdefghi"]
         )
         expected_csp = (
-            "default-src 'self';font-src 'self' data:;"
-            "frame-src 'self';img-src 'self' data: blob:;object-src 'none';"
+            "default-src 'self';"
+            "font-src 'self' data:;"
+            "frame-src 'self' https://ui.perfetto.dev;"
+            "img-src 'self' data: blob:;"
+            "object-src 'none';"
             "style-src 'self' https://www.gstatic.com data: 'unsafe-inline';"
-            "connect-src 'self';script-src 'self' 'sha256-abcdefghi'"
+            "connect-src 'self';"
+            "script-src 'self' 'sha256-abcdefghi'"
         )
         self.assertEqual(r.headers.get("Content-Security-Policy"), expected_csp)