Add blob: support to default CSP frame-src policy

[Copilot]

✅ Complete: Update default CSP frame-src to support SafeContentFrame

All tasks completed successfully!

• Update the frame-src CSP directive to support blob: URLs
• Simplify CSP by removing redundant https://*.scf.usercontent.goog (covered by * wildcard)
• Update comment to be more accurate: "Mesop app developers should be able to iframe other sites from various origins"
• Create a test example page that uses an iframe with blob: URL
• Add a Playwright e2e test to verify the CSP header includes the correct frame-src directive
• Address all code review feedback
• Update all CSP snapshot files with new frame-src directive
• CodeQL security check passed with 0 vulnerabilities

Final Change

# Mesop app developers should be able to iframe other sites from various origins.
"frame-src": "* blob:"

This allows:

• Any network URLs (* covers http, https, ws, wss)
• Any blob URLs (blob: for SafeContentFrame and similar components)

This change is backward compatible and enables SafeContentFrame usage for Google's internal tooling.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Update default CSP frame-src to support SafeContentFrame (blob: URLs)</issue_title>
<issue_description>Describe the bug
The default Content Security Policy (CSP) set in Mesop's static_file_serving.py currently includes "frame-src": "". This policy prevents the use of components that rely on SafeContentFrame (e.g., safe_vega for rendering Vega-Lite charts inside Google), because SafeContentFrame creates iframes using blob: URLs and loads resources from https://.scf.usercontent.goog.

The browser's CSP enforcement blocks these iframes because the wildcard * in frame-src does not match the blob: scheme, which must be explicitly listed.

The error message seen in the browser console is typically:
Refused to frame '' because it violates the following Content Security Policy directive: "frame-src ". Note that '' matches only URLs with network schemes ('http', 'https', 'ws', 'wss'), or URLs whose scheme matches 'self's scheme. The scheme 'blob:' must be added explicitly.

To support standard Google tooling like SafeContentFrame (go/safecontentframe), the frame-src directive needs to be updated.

To Reproduce
Steps to reproduce the behavior:

Create a Mesop application.
In a component, use a library that utilizes SafeContentFrame. For Googlers, an example is google3.javascript.analysis.data.common.vega.renderer.safe_vega.
Run the Mesop application.
Open the browser's developer console.
Observe the CSP error related to frame-src and blob:.

Expected behavior
Components using SafeContentFrame should render without CSP errors. The default Mesop CSP policy should be compatible with SafeContentFrame's requirements

Screenshots

Desktop System Info

OS: gLinux
Browser: Chrome
Version: Latest

Additional context
The necessary CSP for SafeContentFrame is documented at go/safecontentframe#content-security-policy.

The proposed fix is to modify the default frame-src value in third_party/py/mesop/server/static_file_serving.py.

Change From:

"frame-src": "*",
Change To:

"frame-src": "* blob: https://*.scf.usercontent.goog",
This change broadens the existing policy to include the schemes and sources required by SafeContentFrame without removing existing permissions.

This is currently blocking a time-sensitive demo.
</issue_description>

<agent_instructions>Take a look at server/static_file_serving.py. Let's try to add a playwright test for this if possible</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Update default CSP frame-src to support SafeContentFrame (blob: URLs) #1335

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.