-
Notifications
You must be signed in to change notification settings - Fork 412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove frame-ancestors CSP to allow embedding via iframe #5170
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #5170 +/- ##
=======================================
Coverage 88.62% 88.62%
=======================================
Files 308 308
Lines 28059 28059
Branches 7598 7598
=======================================
Hits 24867 24867
Misses 2978 2978
Partials 214 214 ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
@canova, @julienw, @gregtatum I see you're involved in some similar conversations. Any suggestions or ideas on this? Somewhat related to #5148 as well. |
Here is an example on how I intend to use it. Any suggestions are welcome if there is a better way to do this instead of embedding an iframe. |
bf6d1a4
to
2d56f31
Compare
I believe most people I know are using this feature using window.open, but that said it's not a bad idea. It would be good to limit it to /from-post-message though, I think it should be possible to do it in My only request when running in an iframe, is being able to open the app in https://profiler.firefox.com/uploaded-recordings/ so that the user could see all uploaded profiles and possibly delete them. Also please note that we very recently changed the messages due to a problem we discovered, you can check this out in #5148. |
Also, I don't know vscode addon programming, but I'm surprised that an iframe loaded from vscode is restricted by the CSP. |
I think our previous service worker used the cached response for |
Wondering, would it be possible for an extension to open a top level navigation page instead of opening in an iframe?
Ah that's a good point! |
No. VS Code API expects a html string to be shown in a Webview. So we need to embed in an iframe inside that. VS Code's webview itself is also an iframe. So even if it provides API to use url instead of html string, it would still be an iframe and would respect CSP. I have the same issue, going through the service worker and some other code, I understood that this is essentially a single page app? I'm not sure how defining CSP for sub path would work. Though, I have a very limited understanding and haven't tried yet. |
About this. I was going to create another issue just now! I was wondering if we should have a way to disable profile uploads. While the feature is super useful, in this context it might not make much sense since the paradigm here is essentially opening a profile trace file inside an editor. I wouldn't expect additional ways to upload specific kind of files from inside VS Code. (Also not sure how we think about uploading non-Firefox profiles to this service, but that is separate) |
2d56f31
to
6ba2029
Compare
I think it's possible actually, it would be good to try. |
@julienw sure, let me try. I'll try to update/send another PR later today to try out how it works. I'm also wondering what do we gain by doing this though? In my (very limited) understanding, restricting frame ancestor is useful majorly to prevent click-jacking attacks. If we're willing to allow embedding in iframe from the major profiler endpoint, what is the harm in allowing for other peripheral endpoints as well? Just trying to understand this better! :) |
In my mind, we'll allow embedding only when requests come for /from-post-message, not all the other endpoints. Tell me if I'm missing something :-) |
I understand the intention. I just wasn't sure how much of a difference does it make and wanted to understand more thoughts to learn more! :) In any case, see the attempt in #5234? It seems to have another issue where netlify doesn't seem to allow setting headers for rewritten/proxied urls. Let me know if I can try something else which might work. |
Fix #5169.
While the
https://profiler.firefox.com/from-post-message/
endpoint is designed with iframes in mind, the actual deployment disallows embedding profiler in an iframe.I'm trying to use the profiler to analyse Android CPU profiles in an VSCode extension. And this ability would help a lot.
Proposing this change as I think this was the original intention.