Revert "core: add CSP header for Colab output frames (#2390)"

wchargin · wchargin · commit 0be729486c2e · 2019-06-27T16:16:43.000-07:00
Summary: This commit broke Jupyter notebook integration: a content security policy that whitelists Colab also blocks access by any Jupyter notebooks. I don’t see a simple fix for this other than permitting all frame ancestors: Jupyter origins are arbitrary, and we can’t use `'self'` because Jupyter and TensorBoard are not in fact served from the same origin. This reverts commit ff05d1a. Test Plan: Build the Pip package, then install it into a virtualenv with Jupyter. From a Jupyter notebook, run `%tensorboard --logdir logs`. Before this commit, that rendered an empty cell and printed a console error, > Refused to display 'http://localhost:6006/' in a frame because an > ancestor violates the following Content Security Policy directive: > "frame-ancestors https://*.googleusercontent.com > https://*.google.com". As of this commit, this renders a working TensorBoard. wchargin-branch: revert-colab-csp
diff --git a/tensorboard/backend/application.py b/tensorboard/backend/application.py
@@ -24,7 +24,6 @@
 
 import atexit
 import collections
-import functools
 import json
 import os
 import re
@@ -37,7 +36,6 @@
 import six
 from six.moves.urllib import parse as urlparse  # pylint: disable=wrong-import-order
 
-import werkzeug
 from werkzeug import wrappers
 
 from tensorboard.backend import http_util
@@ -326,33 +324,6 @@ def _serve_plugins_listing(self, request):
       response[plugin.plugin_name] = plugin_metadata
     return http_util.Respond(request, response, 'application/json')
 
-  def _headers_with_colab_csp(self, headers):
-    """Add a Content-Security-Policy facilitating Colab output frames.
-
-    This is intended for use with the `google.colab.kernel.proxyPort`
-    JavaScript function available from within a Colab output frame.
-
-    If the headers already include an explicit CSP, they are returned
-    unchanged.
-
-    Args:
-      headers: A list of WSGI headers (key-value tuples of `str`s).
-
-    Returns:
-      A new list of WSGI headers; the original is unchanged.
-    """
-    # use a Werkzeug `Headers` object for proper case-insensitivity
-    headers = werkzeug.Headers(headers)
-    csp_key = 'Content-Security-Policy'
-    if csp_key not in headers:
-      allowed_ancestors = ' '.join([
-          'https://*.googleusercontent.com',
-          'https://*.google.com',
-      ])
-      csp = 'frame-ancestors %s' % allowed_ancestors
-      headers[csp_key] = csp
-    return headers.to_wsgi_list()
-
   def __call__(self, environ, start_response):  # pylint: disable=invalid-name
     """Central entry point for the TensorBoard application.
 
@@ -373,17 +344,13 @@ class are WSGI applications.
     parsed_url = urlparse.urlparse(request.path)
     clean_path = _clean_path(parsed_url.path, self._path_prefix)
 
-    @functools.wraps(start_response)
-    def new_start_response(status, headers):
-      return start_response(status, self._headers_with_colab_csp(headers))
-
     # pylint: disable=too-many-function-args
     if clean_path in self.data_applications:
-      return self.data_applications[clean_path](environ, new_start_response)
+      return self.data_applications[clean_path](environ, start_response)
     else:
       logger.warn('path %s not found, sending 404', clean_path)
       return http_util.Respond(request, 'Not found', 'text/plain', code=404)(
-          environ, new_start_response)
+          environ, start_response)
     # pylint: enable=too-many-function-args
 
 
diff --git a/tensorboard/backend/application_test.py b/tensorboard/backend/application_test.py
@@ -36,7 +36,6 @@
 except ImportError:
   import mock  # pylint: disable=g-import-not-at-top,unused-import
 
-import werkzeug
 from werkzeug import test as werkzeug_test
 from werkzeug import wrappers
 
@@ -149,23 +148,13 @@ def setUp(self):
             is_active_value=True,
             routes_mapping={
                 '/esmodule': lambda req: None,
-                '/no_csp': functools.partial(self._serve, False),
-                '/csp': functools.partial(self._serve, True),
             },
             es_module_path_value='/esmodule'
         ),
     ]
     app = application.TensorBoardWSGI(plugins)
     self.server = werkzeug_test.Client(app, wrappers.BaseResponse)
 
-  @wrappers.Request.application
-  def _serve(self, include_csp, request):
-    assert isinstance(include_csp, bool), include_csp
-    response = wrappers.Response('hello\n')
-    if include_csp:
-      response.headers['CONTENT-sEcUrItY-POLICY'] = "frame-ancestors 'none'"
-    return response
-
   def _get_json(self, path):
     response = self.server.get(path)
     self.assertEqual(200, response.status_code)
@@ -217,27 +206,6 @@ def testPluginsListing(self):
         }
     )
 
-  def testColabCsp_whenNoCspPresent(self):
-    response = self.server.get('/data/plugin/baz/no_csp')
-    self.assertEqual(
-        response.headers.get('Content-Security-Policy'),
-        'frame-ancestors https://*.googleusercontent.com https://*.google.com',
-    )
-
-  def testColabCsp_whenExistingCspPresent(self):
-    response = self.server.get('/data/plugin/baz/csp')
-    self.assertEqual(
-        response.headers.get('Content-Security-Policy'),
-        "frame-ancestors 'none'",
-    )
-
-  def testColabCsp_on404(self):
-    response = self.server.get('/asdf')
-    self.assertEqual(404, response.status_code)
-    self.assertEqual(
-        response.headers.get('Content-Security-Policy'),
-        'frame-ancestors https://*.googleusercontent.com https://*.google.com',
-    )
 
 class ApplicationBaseUrlTest(tb_test.TestCase):
   path_prefix = '/test'
