Sandbox: Redirect calls to window.location to window.locationSandbox (#72252)

public/app/features/plugins/sandbox/code_loader.ts

@@ -58,10 +58,15 @@ export async function getPluginCode(meta: PluginMeta): Promise<string> {
     const response = await fetch('public/' + meta.module + '.js');
     let pluginCode = await response.text();
     pluginCode = patchPluginSourceMap(meta, pluginCode);
+    pluginCode = patchPluginAPIs(pluginCode);
     return pluginCode;
   }
 }
 
+function patchPluginAPIs(pluginCode: string): string {
+  return pluginCode.replace(/window\.location/gi, 'window.locationSandbox');
+}
+
 /**
  * Patches the plugin's module.js source code references to sourcemaps to include the full url
  * of the module.js file instead of the regular relative reference.

public/app/features/plugins/sandbox/sandbox_plugin_loader.ts

@@ -74,6 +74,11 @@ async function doImportPluginModuleInSandbox(meta: PluginMeta): Promise<unknown>
       liveTargetCallback: isLiveTarget,
       // endowments are custom variables we make available to plugins in their window object
       endowments: Object.getOwnPropertyDescriptors({
+        // window.location is unforgeable, we make the location available via endowments
+        // when the plugin code is loaded, the sandbox replaces the window.location with
+        // window.locationSandbox. In the future `window.location` could be a proxy if we
+        // want to intercept calls to it.
+        locationSandbox: window.location,
         // Plugins builds use the AMD module system. Their code consists
         // of a single function call to `define()` that internally contains all the plugin code.
         // This is that `define` function the plugin will call.