mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Sandbox: use same trusted types default policy than grafana main realm (#75539)
This commit is contained in:
parent
e4e19f6ca2
commit
f890cb23b8
@ -3,27 +3,29 @@ import { config } from '@grafana/runtime';
|
||||
|
||||
const CSP_REPORT_ONLY_ENABLED = config.bootData.settings.cspReportOnlyEnabled;
|
||||
|
||||
export const defaultTrustedTypesPolicy = {
|
||||
createHTML: (string: string, source: string, sink: string) => {
|
||||
if (!CSP_REPORT_ONLY_ENABLED) {
|
||||
return string.replace(/<script/gi, '<script');
|
||||
}
|
||||
console.error('[HTML not sanitized with Trusted Types]', string, source, sink);
|
||||
return string;
|
||||
},
|
||||
createScript: (string: string) => string,
|
||||
createScriptURL: (string: string, source: string, sink: string) => {
|
||||
if (!CSP_REPORT_ONLY_ENABLED) {
|
||||
return textUtil.sanitizeUrl(string);
|
||||
}
|
||||
console.error('[ScriptURL not sanitized with Trusted Types]', string, source, sink);
|
||||
return string;
|
||||
},
|
||||
};
|
||||
|
||||
if (
|
||||
config.bootData.settings.trustedTypesDefaultPolicyEnabled &&
|
||||
window.trustedTypes &&
|
||||
window.trustedTypes.createPolicy
|
||||
) {
|
||||
// check if browser supports Trusted Types
|
||||
window.trustedTypes.createPolicy('default', {
|
||||
createHTML: (string, source, sink) => {
|
||||
if (!CSP_REPORT_ONLY_ENABLED) {
|
||||
return string.replace(/<script/gi, '<script');
|
||||
}
|
||||
console.error('[HTML not sanitized with Trusted Types]', string, source, sink);
|
||||
return string;
|
||||
},
|
||||
createScript: (string) => string,
|
||||
createScriptURL: (string, source, sink) => {
|
||||
if (!CSP_REPORT_ONLY_ENABLED) {
|
||||
return textUtil.sanitizeUrl(string);
|
||||
}
|
||||
console.error('[ScriptURL not sanitized with Trusted Types]', string, source, sink);
|
||||
return string;
|
||||
},
|
||||
});
|
||||
window.trustedTypes.createPolicy('default', defaultTrustedTypesPolicy);
|
||||
}
|
||||
|
@ -2,6 +2,7 @@ import createVirtualEnvironment from '@locker/near-membrane-dom';
|
||||
import { ProxyTarget } from '@locker/near-membrane-shared';
|
||||
|
||||
import { PluginMeta } from '@grafana/data';
|
||||
import { defaultTrustedTypesPolicy } from 'app/core/trustedTypePolicies';
|
||||
|
||||
import { getPluginSettings } from '../pluginSettings';
|
||||
|
||||
@ -72,11 +73,7 @@ async function doImportPluginModuleInSandbox(meta: PluginMeta): Promise<System.M
|
||||
// distortions are interceptors to modify the behavior of objects when
|
||||
// the code inside the sandbox tries to access them
|
||||
distortionCallback,
|
||||
defaultPolicy: {
|
||||
createHTML: (string: string) => string,
|
||||
createScript: (string: string) => string,
|
||||
createScriptURL: (string: string) => string,
|
||||
},
|
||||
defaultPolicy: defaultTrustedTypesPolicy,
|
||||
liveTargetCallback: isLiveTarget,
|
||||
// endowments are custom variables we make available to plugins in their window object
|
||||
endowments: Object.getOwnPropertyDescriptors({
|
||||
|
Loading…
Reference in New Issue
Block a user