Sandbox: use same trusted types default policy than grafana main realm (#75539)

This commit is contained in:
Esteban Beltran 2023-09-27 16:50:23 +02:00 committed by GitHub
parent e4e19f6ca2
commit f890cb23b8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 22 deletions

View File

@ -3,27 +3,29 @@ import { config } from '@grafana/runtime';
const CSP_REPORT_ONLY_ENABLED = config.bootData.settings.cspReportOnlyEnabled;
export const defaultTrustedTypesPolicy = {
createHTML: (string: string, source: string, sink: string) => {
if (!CSP_REPORT_ONLY_ENABLED) {
return string.replace(/<script/gi, '&lt;script');
}
console.error('[HTML not sanitized with Trusted Types]', string, source, sink);
return string;
},
createScript: (string: string) => string,
createScriptURL: (string: string, source: string, sink: string) => {
if (!CSP_REPORT_ONLY_ENABLED) {
return textUtil.sanitizeUrl(string);
}
console.error('[ScriptURL not sanitized with Trusted Types]', string, source, sink);
return string;
},
};
if (
config.bootData.settings.trustedTypesDefaultPolicyEnabled &&
window.trustedTypes &&
window.trustedTypes.createPolicy
) {
// check if browser supports Trusted Types
window.trustedTypes.createPolicy('default', {
createHTML: (string, source, sink) => {
if (!CSP_REPORT_ONLY_ENABLED) {
return string.replace(/<script/gi, '&lt;script');
}
console.error('[HTML not sanitized with Trusted Types]', string, source, sink);
return string;
},
createScript: (string) => string,
createScriptURL: (string, source, sink) => {
if (!CSP_REPORT_ONLY_ENABLED) {
return textUtil.sanitizeUrl(string);
}
console.error('[ScriptURL not sanitized with Trusted Types]', string, source, sink);
return string;
},
});
window.trustedTypes.createPolicy('default', defaultTrustedTypesPolicy);
}

View File

@ -2,6 +2,7 @@ import createVirtualEnvironment from '@locker/near-membrane-dom';
import { ProxyTarget } from '@locker/near-membrane-shared';
import { PluginMeta } from '@grafana/data';
import { defaultTrustedTypesPolicy } from 'app/core/trustedTypePolicies';
import { getPluginSettings } from '../pluginSettings';
@ -72,11 +73,7 @@ async function doImportPluginModuleInSandbox(meta: PluginMeta): Promise<System.M
// distortions are interceptors to modify the behavior of objects when
// the code inside the sandbox tries to access them
distortionCallback,
defaultPolicy: {
createHTML: (string: string) => string,
createScript: (string: string) => string,
createScriptURL: (string: string) => string,
},
defaultPolicy: defaultTrustedTypesPolicy,
liveTargetCallback: isLiveTarget,
// endowments are custom variables we make available to plugins in their window object
endowments: Object.getOwnPropertyDescriptors({