IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Sandbox: use same trusted types default policy than grafana main realm (#75539)

Browse Source
This commit is contained in:
Esteban Beltran 2023-09-27 16:50:23 +02:00 committed by GitHub
parent e4e19f6ca2
commit f890cb23b8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
public/app/core/trustedTypePolicies.ts
View File

@ -3,27 +3,29 @@ import { config } from '@grafana/runtime';
const CSP_REPORT_ONLY_ENABLED = config.bootData.settings.cspReportOnlyEnabled; const CSP_REPORT_ONLY_ENABLED = config.bootData.settings.cspReportOnlyEnabled;
export const defaultTrustedTypesPolicy = {
createHTML: (string: string, source: string, sink: string) => {
if (!CSP_REPORT_ONLY_ENABLED) {
return string.replace(/<script/gi, '&lt;script');
}
console.error('[HTML not sanitized with Trusted Types]', string, source, sink);
return string;
},
createScript: (string: string) => string,
createScriptURL: (string: string, source: string, sink: string) => {
if (!CSP_REPORT_ONLY_ENABLED) {
return textUtil.sanitizeUrl(string);
}
console.error('[ScriptURL not sanitized with Trusted Types]', string, source, sink);
return string;
},
};
if ( if (
config.bootData.settings.trustedTypesDefaultPolicyEnabled && config.bootData.settings.trustedTypesDefaultPolicyEnabled &&
window.trustedTypes && window.trustedTypes &&
window.trustedTypes.createPolicy window.trustedTypes.createPolicy
) { ) {
// check if browser supports Trusted Types // check if browser supports Trusted Types
window.trustedTypes.createPolicy('default', { window.trustedTypes.createPolicy('default', defaultTrustedTypesPolicy);
createHTML: (string, source, sink) => {
if (!CSP_REPORT_ONLY_ENABLED) {
return string.replace(/<script/gi, '&lt;script');
}
console.error('[HTML not sanitized with Trusted Types]', string, source, sink);
return string;
},
createScript: (string) => string,
createScriptURL: (string, source, sink) => {
if (!CSP_REPORT_ONLY_ENABLED) {
return textUtil.sanitizeUrl(string);
}
console.error('[ScriptURL not sanitized with Trusted Types]', string, source, sink);
return string;
},
});
} }

7
public/app/features/plugins/sandbox/sandbox_plugin_loader.ts
View File

@ -2,6 +2,7 @@ import createVirtualEnvironment from '@locker/near-membrane-dom';
import { ProxyTarget } from '@locker/near-membrane-shared'; import { ProxyTarget } from '@locker/near-membrane-shared';
import { PluginMeta } from '@grafana/data'; import { PluginMeta } from '@grafana/data';
import { defaultTrustedTypesPolicy } from 'app/core/trustedTypePolicies';
import { getPluginSettings } from '../pluginSettings'; import { getPluginSettings } from '../pluginSettings';
@ -72,11 +73,7 @@ async function doImportPluginModuleInSandbox(meta: PluginMeta): Promise<System.M
// distortions are interceptors to modify the behavior of objects when // distortions are interceptors to modify the behavior of objects when
// the code inside the sandbox tries to access them // the code inside the sandbox tries to access them
distortionCallback, distortionCallback,
defaultPolicy: { defaultPolicy: defaultTrustedTypesPolicy,
createHTML: (string: string) => string,
createScript: (string: string) => string,
createScriptURL: (string: string) => string,
},
liveTargetCallback: isLiveTarget, liveTargetCallback: isLiveTarget,
// endowments are custom variables we make available to plugins in their window object // endowments are custom variables we make available to plugins in their window object
endowments: Object.getOwnPropertyDescriptors({ endowments: Object.getOwnPropertyDescriptors({