Remove Origin and Referer headers while proxying requests

Fix #13949
Fix #13328

Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>

pkg/api/pluginproxy/ds_proxy.go

@@ -195,6 +195,10 @@ func (proxy *DataSourceProxy) getDirector() func(req *http.Request) {
 		req.Header.Del("X-Forwarded-Proto")
 		req.Header.Set("User-Agent", fmt.Sprintf("Grafana/%s", setting.BuildVersion))
 
+		// Clear Origin and Referer to avoir CORS issues
+		req.Header.Del("Origin")
+		req.Header.Del("Referer")
+
 		// set X-Forwarded-For header
 		if req.RemoteAddr != "" {
 			remoteAddr, _, err := net.SplitHostPort(req.RemoteAddr)

pkg/api/pluginproxy/ds_proxy_test.go

@@ -371,13 +371,22 @@ func TestDSRouteRule(t *testing.T) {
 			ctx := &m.ReqContext{}
 			proxy := NewDataSourceProxy(ds, plugin, ctx, "/path/to/folder/")
 			req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
+			req.Header.Add("Origin", "grafana.com")
+			req.Header.Add("Referer", "grafana.com")
+			req.Header.Add("X-Canary", "stillthere")
 			So(err, ShouldBeNil)
 
 			proxy.getDirector()(req)
 
-			Convey("Shoudl keep user request (including trailing slash)", func() {
+			Convey("Should keep user request (including trailing slash)", func() {
 				So(req.URL.String(), ShouldEqual, "http://host/root/path/to/folder/")
 			})
+
+			Convey("Origin and Referer headers should be dropped", func() {
+				So(req.Header.Get("Origin"), ShouldEqual, "")
+				So(req.Header.Get("Referer"), ShouldEqual, "")
+				So(req.Header.Get("X-Canary"), ShouldEqual, "stillthere")
+			})
 		})
 	})
 }