Feature: Trusted Types support (#64975)

* Draft: Feature: Trusted Types support

* remove trusted-types package

* Create policy before jQuery and Angular is loaded and add feature flag

* Add trustedTypePolicies

* Sanitize scriptURL

* Add TT meta tag for test env

* Move trusted types into core

* Add DOMParser support for TrustedHTML

* Seperate RSS sanitization and add better TrustedHTML support

* Get test CSP header from config

* Remove dompurify dep from core

* Add documentation for trusted types

* Apply suggestions from code review

Co-authored-by: Kristian Bremberg <114284895+KristianGrafana@users.noreply.github.com>

* Add comment about Github discussion thread and things breaking

* Remove changes from News panel

* Remove TT feature toggle

* Expose TT and CSPReportOnly to frontend

* Log errors in console when CSP report only is enabled

* Log error for reporting and remove test mode

* Only insert CSP header in HTML for dev env

* Update docs

---------

Co-authored-by: Tobias Skarhed <tobias.skarhed@gmail.com>
Co-authored-by: Tobias Skarhed <1438972+tskarhed@users.noreply.github.com>

packages/grafana-data/src/text/index.ts

@@ -8,6 +8,8 @@ import {
   sanitizeUrl,
   sanitizeTextPanelContent,
   sanitizeSVGContent,
+  sanitizeTrustedTypes,
+  sanitizeTrustedTypesRSS,
 } from './sanitize';
 
 export const textUtil = {
@@ -17,4 +19,6 @@ export const textUtil = {
   sanitizeTextPanelContent,
   sanitizeUrl,
   sanitizeSVGContent,
+  sanitizeTrustedTypes,
+  sanitizeTrustedTypesRSS,
 };

packages/grafana-data/src/text/sanitize.ts

@@ -47,6 +47,19 @@ export function sanitize(unsanitizedString: string): string {
   }
 }
 
+export function sanitizeTrustedTypesRSS(unsanitizedString: string): TrustedHTML {
+  return DOMPurify.sanitize(unsanitizedString, {
+    RETURN_TRUSTED_TYPE: true,
+    ADD_ATTR: ['xmlns:atom', 'version', 'property', 'content'],
+    ADD_TAGS: ['rss', 'meta', 'channel', 'title', 'link', 'description', 'atom:link', 'item', 'pubDate', 'guid'],
+    PARSER_MEDIA_TYPE: 'application/xhtml+xml',
+  });
+}
+
+export function sanitizeTrustedTypes(unsanitizedString: string): TrustedHTML {
+  return DOMPurify.sanitize(unsanitizedString, { RETURN_TRUSTED_TYPE: true });
+}
+
 /**
  * Returns string safe from XSS attacks to be used in the Text panel plugin.
  *

packages/grafana-data/src/types/config.ts

@@ -198,6 +198,8 @@ export interface GrafanaConfig {
   viewersCanEdit: boolean;
   editorsCanAdmin: boolean;
   disableSanitizeHtml: boolean;
+  trustedTypesDefaultPolicyEnabled: boolean;
+  cspReportOnlyEnabled: boolean;
   liveEnabled: boolean;
   /** @deprecated Use `theme2` instead. */
   theme: GrafanaTheme;

packages/grafana-runtime/src/config.ts

@@ -81,6 +81,8 @@ export class GrafanaBootConfig implements GrafanaConfig {
   viewersCanEdit = false;
   editorsCanAdmin = false;
   disableSanitizeHtml = false;
+  trustedTypesDefaultPolicyEnabled = false;
+  cspReportOnlyEnabled = false;
   liveEnabled = true;
   /** @deprecated Use `theme2` instead. */
   theme: GrafanaTheme;