Remove frame-ancestors CSP to allow embedding via iframe

[nisargjhaveri]

Fix #5169.

While the https://profiler.firefox.com/from-post-message/ endpoint is designed with iframes in mind, the actual deployment disallows embedding profiler in an iframe.

I'm trying to use the profiler to analyse Android CPU profiles in an VSCode extension. And this ability would help a lot.

Proposing this change as I think this was the original intention.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.56%. Comparing base (3377d1a) to head (2d56f31).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5170   +/-   ##
=======================================
  Coverage   88.56%   88.56%           
=======================================
  Files         307      307           
  Lines       27936    27936           
  Branches     7560     7560           
=======================================
  Hits        24742    24742           
  Misses       2977     2977           
  Partials      217      217           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[nisargjhaveri]

@canova, @julienw, @gregtatum I see you're involved in some similar conversations. Any suggestions or ideas on this? Somewhat related to #5148 as well.

[nisargjhaveri]

Here is an example on how I intend to use it. Any suggestions are welcome if there is a better way to do this instead of embedding an iframe.

https://github.com/nisargjhaveri/vscode-android-debug/blob/f6d81aa8e277dfe4b28f79077daac2890937c98f/src/profile-viewer/profileCustomEditor.ts#L91-L150

[julienw]

I believe most people I know are using this feature using window.open, but that said it's not a bad idea.

It would be good to limit it to /from-post-message though, I think it should be possible to do it in _headers. Can you please try that?

My only request when running in an iframe, is being able to open the app in https://profiler.firefox.com/uploaded-recordings/ so that the user could see all uploaded profiles and possibly delete them.

Also please note that we very recently changed the messages due to a problem we discovered, you can check this out in #5148.

[julienw]

Also, I don't know vscode addon programming, but I'm surprised that an iframe loaded from vscode is restricted by the CSP.

[mstange]

It would be good to limit it to /from-post-message though, I think it should be possible to do it in _headers. Can you please try that?

I think our previous service worker used the cached response for / for everything that doesn't match a cached file path, but I'm not sure if that's still the case. If it is, I don't think having different headers for different paths would work.

[julienw]

Wondering, would it be possible for an extension to open a top level navigation page instead of opening in an iframe?

It would be good to limit it to /from-post-message though, I think it should be possible to do it in _headers. Can you please try that?

I think our previous service worker used the cached response for / for everything that doesn't match a cached file path, but I'm not sure if that's still the case. If it is, I don't think having different headers for different paths would work.

Ah that's a good point!

[nisargjhaveri]

Wondering, would it be possible for an extension to open a top level navigation page instead of opening in an iframe?

No. VS Code API expects a html string to be shown in a Webview. So we need to embed in an iframe inside that. VS Code's webview itself is also an iframe. So even if it provides API to use url instead of html string, it would still be an iframe and would respect CSP.

I have the same issue, going through the service worker and some other code, I understood that this is essentially a single page app? I'm not sure how defining CSP for sub path would work. Though, I have a very limited understanding and haven't tried yet.

[nisargjhaveri]

My only request when running in an iframe, is being able to open the app in https://profiler.firefox.com/uploaded-recordings/ so that the user could see all uploaded profiles and possibly delete them.

About this. I was going to create another issue just now! I was wondering if we should have a way to disable profile uploads. While the feature is super useful, in this context it might not make much sense since the paradigm here is essentially opening a profile trace file inside an editor. I wouldn't expect additional ways to upload specific kind of files from inside VS Code. (Also not sure how we think about uploading non-Firefox profiles to this service, but that is separate)

[nisargjhaveri]

@julienw, @mstange any more thoughts on this? I don't think it would be possible to limit only to one endpoint easily.