From 046e9b76722453b3183e45a5798444107e25b035 Mon Sep 17 00:00:00 2001
From: Drew Slobodnjak <60050885+drew08t@users.noreply.github.com>
Date: Wed, 11 Oct 2023 09:21:02 -0700
Subject: [PATCH] Canvas: Button API - Block Calls to Grafana (#76309)

* Canvas: Button API - Block Calls to Grafana

* Move origin check inside of api logic

* Change grafana url source from href to origin

---------

Co-authored-by: nmarrs <nathanielmarrs@gmail.com>
---
 .../app/plugins/panel/canvas/editor/element/utils.ts  | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/public/app/plugins/panel/canvas/editor/element/utils.ts b/public/app/plugins/panel/canvas/editor/element/utils.ts
index b26544b8610..46201539f15 100644
--- a/public/app/plugins/panel/canvas/editor/element/utils.ts
+++ b/public/app/plugins/panel/canvas/editor/element/utils.ts
@@ -9,6 +9,11 @@ import { APIEditorConfig } from './APIEditor';
 
 export const callApi = (api: APIEditorConfig, isTest = false) => {
   if (api && api.endpoint) {
+    // If API endpoint origin matches Grafana origin, don't call it.
+    if (requestMatchesGrafanaOrigin(api.endpoint)) {
+      appEvents.emit(AppEvents.alertError, ['Cannot call API at Grafana origin.']);
+      return;
+    }
     const request = getRequest(api);
 
     getBackendSrv()
@@ -77,3 +82,9 @@ const getData = (api: APIEditorConfig) => {
 
   return data;
 };
+
+const requestMatchesGrafanaOrigin = (requestEndpoint: string) => {
+  const requestURL = new URL(requestEndpoint);
+  const grafanaURL = new URL(window.location.origin);
+  return requestURL.origin === grafanaURL.origin;
+};