From f890cb23b816e8d91baba8d7aed34a426da13d88 Mon Sep 17 00:00:00 2001
From: Esteban Beltran <academo@users.noreply.github.com>
Date: Wed, 27 Sep 2023 16:50:23 +0200
Subject: [PATCH] Sandbox: use same trusted types default policy than grafana
 main realm (#75539)

---
 public/app/core/trustedTypePolicies.ts        | 36 ++++++++++---------
 .../plugins/sandbox/sandbox_plugin_loader.ts  |  7 ++--
 2 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/public/app/core/trustedTypePolicies.ts b/public/app/core/trustedTypePolicies.ts
index 997e4215194..6dedb7f68e8 100644
--- a/public/app/core/trustedTypePolicies.ts
+++ b/public/app/core/trustedTypePolicies.ts
@@ -3,27 +3,29 @@ import { config } from '@grafana/runtime';
 
 const CSP_REPORT_ONLY_ENABLED = config.bootData.settings.cspReportOnlyEnabled;
 
+export const defaultTrustedTypesPolicy = {
+  createHTML: (string: string, source: string, sink: string) => {
+    if (!CSP_REPORT_ONLY_ENABLED) {
+      return string.replace(/<script/gi, '&lt;script');
+    }
+    console.error('[HTML not sanitized with Trusted Types]', string, source, sink);
+    return string;
+  },
+  createScript: (string: string) => string,
+  createScriptURL: (string: string, source: string, sink: string) => {
+    if (!CSP_REPORT_ONLY_ENABLED) {
+      return textUtil.sanitizeUrl(string);
+    }
+    console.error('[ScriptURL not sanitized with Trusted Types]', string, source, sink);
+    return string;
+  },
+};
+
 if (
   config.bootData.settings.trustedTypesDefaultPolicyEnabled &&
   window.trustedTypes &&
   window.trustedTypes.createPolicy
 ) {
   // check if browser supports Trusted Types
-  window.trustedTypes.createPolicy('default', {
-    createHTML: (string, source, sink) => {
-      if (!CSP_REPORT_ONLY_ENABLED) {
-        return string.replace(/<script/gi, '&lt;script');
-      }
-      console.error('[HTML not sanitized with Trusted Types]', string, source, sink);
-      return string;
-    },
-    createScript: (string) => string,
-    createScriptURL: (string, source, sink) => {
-      if (!CSP_REPORT_ONLY_ENABLED) {
-        return textUtil.sanitizeUrl(string);
-      }
-      console.error('[ScriptURL not sanitized with Trusted Types]', string, source, sink);
-      return string;
-    },
-  });
+  window.trustedTypes.createPolicy('default', defaultTrustedTypesPolicy);
 }
diff --git a/public/app/features/plugins/sandbox/sandbox_plugin_loader.ts b/public/app/features/plugins/sandbox/sandbox_plugin_loader.ts
index b9ea8fc584e..90ab57515ae 100644
--- a/public/app/features/plugins/sandbox/sandbox_plugin_loader.ts
+++ b/public/app/features/plugins/sandbox/sandbox_plugin_loader.ts
@@ -2,6 +2,7 @@ import createVirtualEnvironment from '@locker/near-membrane-dom';
 import { ProxyTarget } from '@locker/near-membrane-shared';
 
 import { PluginMeta } from '@grafana/data';
+import { defaultTrustedTypesPolicy } from 'app/core/trustedTypePolicies';
 
 import { getPluginSettings } from '../pluginSettings';
 
@@ -72,11 +73,7 @@ async function doImportPluginModuleInSandbox(meta: PluginMeta): Promise<System.M
       // distortions are interceptors to modify the behavior of objects when
       // the code inside the sandbox tries to access them
       distortionCallback,
-      defaultPolicy: {
-        createHTML: (string: string) => string,
-        createScript: (string: string) => string,
-        createScriptURL: (string: string) => string,
-      },
+      defaultPolicy: defaultTrustedTypesPolicy,
       liveTargetCallback: isLiveTarget,
       // endowments are custom variables we make available to plugins in their window object
       endowments: Object.getOwnPropertyDescriptors({