DataProxy: Populate X-Grafana-Referer header (#60040)

* ProxyUtil: Populate X-Grafana-Referer header

* ProxyUtil: Move Referer/Origin header removal

So that the removal and setting X-Grafana-Referer logic applies to all
proxied requests and not just datasource proxy.

* ProxyUtil: Test to guard against multiline headers

* ProxyUtil: Explicitly check injected header isn't parsed

pkg/util/proxyutil/proxyutil_test.go

@@ -8,6 +8,38 @@ import (
 )
 
 func TestPrepareProxyRequest(t *testing.T) {
+	t.Run("Prepare proxy request should clear Origin and Referer headers", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, "/", nil)
+		require.NoError(t, err)
+		req.Header.Set("Origin", "https://host.com")
+		req.Header.Set("Referer", "https://host.com/dashboard")
+
+		PrepareProxyRequest(req)
+		require.NotContains(t, req.Header, "Origin")
+		require.NotContains(t, req.Header, "Referer")
+	})
+
+	t.Run("Prepare proxy request should set X-Grafana-Referer header", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, "/", nil)
+		require.NoError(t, err)
+		req.Header.Set("Referer", "https://host.com/dashboard")
+
+		PrepareProxyRequest(req)
+		require.Contains(t, req.Header, "X-Grafana-Referer")
+		require.Equal(t, "https://host.com/dashboard", req.Header.Get("X-Grafana-Referer"))
+	})
+
+	t.Run("Prepare proxy request X-Grafana-Referer handles multiline", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, "/", nil)
+		require.NoError(t, err)
+		req.Header.Set("Referer", "https://www.google.ch\r\nOtherHeader:https://www.somethingelse.com")
+
+		PrepareProxyRequest(req)
+		require.Contains(t, req.Header, "X-Grafana-Referer")
+		require.NotContains(t, req.Header, "OtherHeader")
+		require.Equal(t, "https://www.google.ch\r\nOtherHeader:https://www.somethingelse.com", req.Header.Get("X-Grafana-Referer"))
+	})
+
 	t.Run("Prepare proxy request should clear X-Forwarded headers", func(t *testing.T) {
 		req, err := http.NewRequest(http.MethodGet, "/", nil)
 		require.NoError(t, err)