Docs: Add documentation about the frontend sandbox (#95467)

* Docs: Add documentation about the frontend sandbox * Clarify * minor style fix * fix list style * Update docs/sources/administration/plugin-management/index.md Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> * Update docs/sources/administration/plugin-management/index.md Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> * Add grafana version required for the plugin frontend sandbox --------- Co-authored-by: Irene Rodríguez <irene.rodriguez@grafana.com> Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
2024-11-26 02:40:26 -06:00 · 2024-10-28 15:20:54 +01:00 · 2024-10-28 15:20:54 +01:00 · c7cdaedd6f
commit c7cdaedd6f
parent 55673e2f41
1 changed files with 46 additions and 0 deletions
--- a/docs/sources/administration/plugin-management/index.md
+++ b/docs/sources/administration/plugin-management/index.md
@ -228,6 +228,52 @@ WARN[06-01|16:45:59] Running an unsigned plugin   pluginID=<plugin id>
 If you're developing a plugin, then you can enable development mode to allow all unsigned plugins.
 {{% /admonition %}}

+## Plugin Frontend Sandbox
+
+The Plugin Frontend Sandbox is a security feature that isolates plugin frontend code from the main Grafana application.
+When enabled, plugins run in a separate JavaScript context, which provides several security benefits:
+
+- Prevents plugins from modifying parts of the Grafana interface outside their designated areas
+- Stops plugins from interfering with other plugins functionality
+- Protects core Grafana features from being altered by plugins
+- Prevents plugins from modifying global browser objects and behaviors
+
+### Enable Frontend Sandbox
+
+The Frontend Sandbox feature is currently behind the `pluginsFrontendSandbox` feature flag. To enable it, you'll need to:
+
+1. Enable the feature flag in your Grafana configuration. For more information about enabling feature flags, refer to [Configure feature toggles](/setup-grafana/configure-grafana/feature-toggles/).
+
+2. For self-hosted Grafana installations, add the plugin IDs you want to sandbox in the `security` section using the `enable_frontend_sandbox_for_plugins` configuration option.
+
+For Grafana Cloud users, you can simply use the toggle switch in the plugin catalog page to enable or disable the sandbox for each plugin. By default, the sandbox is disabled for all plugins.
+
+{{% admonition type="note" %}}
+Enabling the Frontend Sandbox might impact the performance of certain plugins. Only disable the sandbox if you fully trust the plugin and understand the security implications.
+{{% /admonition %}}
+
+### Compatibility
+
+The Frontend Sandbox is available in Grafana >=11.4. It is compatible with all types of plugins including app plugins, panel plugins, and data source plugins. Angular-based plugins are not supported. Plugins developed and signed by Grafana Labs are excluded and cannot be sandboxed.
+
+### When to Use Frontend Sandbox
+
+We strongly recommend enabling the Frontend Sandbox for plugins that allow users to write custom JavaScript code for data visualization or manipulation. These plugins, while powerful, can potentially execute arbitrary JavaScript code in your Grafana instance. The sandbox provides an additional layer of security by restricting what this code can access and modify.
+
+Examples of plugins where the sandbox is particularly important include:
+
+- Panel plugins that allow users to write custom JavaScript code
+- Plugins from untrusted sources
+
+### Troubleshooting
+
+If a plugin isn't functioning correctly with the Frontend Sandbox enabled:
+
+1. Temporarily disable the sandbox for that specific plugin
+1. Test if the plugin works correctly without the sandbox
+1. If the plugin only works with the sandbox disabled, ensure you trust the plugin source before continuing to use it without sandbox protection
+1. Report any sandbox-related issues to the plugin developer
+
 ## Learn more

 - [Browse plugins](/grafana/plugins)