Allow embedding the profiler with iframe?

[nisargjhaveri]

I'm trying to use the https://profiler.firefox.com/from-post-message/ endpoint to embed the profiler in an VS Code extension. The API seems to have been designed for iframe usage (see #4835 (comment)).

Though, actually embedding the url in an iframe is blocked with Content-Security-Policy frame-ancestors 'self';

profiler/server.js

Line 62 in 1170042

frame-ancestors 'self';

profiler/res/_headers

Line 28 in 1170042

Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src http: https: data:; object-src 'none'; connect-src *; frame-ancestors 'self'; form-action 'none'; frame-src www.youtube-nocookie.com

Is this by design? Can we change this to allow others embedding the profiler in an iframe?

┆Issue is synchronized with this Jira Task