DataProxy: Populate X-Grafana-Referer header (#60040)

* ProxyUtil: Populate X-Grafana-Referer header

* ProxyUtil: Move Referer/Origin header removal

So that the removal and setting X-Grafana-Referer logic applies to all
proxied requests and not just datasource proxy.

* ProxyUtil: Test to guard against multiline headers

* ProxyUtil: Explicitly check injected header isn't parsed

pkg/util/proxyutil/proxyutil.go

@@ -7,9 +7,17 @@ import (
 )
 
 // PrepareProxyRequest prepares a request for being proxied.
-// Removes X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Proto headers.
+// Removes X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Proto, Origin, Referer headers.
+// Set X-Grafana-Referer based on contents of Referer.
 // Set X-Forwarded-For headers.
 func PrepareProxyRequest(req *http.Request) {
+	// Set X-Grafana-Referer to correlate access logs to dashboards
+	req.Header.Set("X-Grafana-Referer", req.Header.Get("Referer"))
+
+	// Clear Origin and Referer to avoid CORS issues
+	req.Header.Del("Origin")
+	req.Header.Del("Referer")
+
 	req.Header.Del("X-Forwarded-Host")
 	req.Header.Del("X-Forwarded-Port")
 	req.Header.Del("X-Forwarded-Proto")