[main] Plugin fixes (#57399)

* Plugins: Remove support for V1 manifests

* Plugins: Make proxy endpoints not leak sensitive HTTP headers

* Security: Fix do not forward login cookie in outgoing requests

(cherry picked from commit 4539c33fce)

Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>

pkg/api/plugins_test.go

@@ -23,6 +23,7 @@ import (
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins"
 	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/services/contexthandler"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/pluginsettings"
 	"github.com/grafana/grafana/pkg/services/quota/quotatest"
@@ -313,6 +314,12 @@ func TestMakePluginResourceRequest(t *testing.T) {
 		pluginClient: &fakePluginClient{},
 	}
 	req := httptest.NewRequest(http.MethodGet, "/", nil)
+
+	const customHeader = "X-CUSTOM"
+	req.Header.Set(customHeader, "val")
+	ctx := contexthandler.WithAuthHTTPHeader(req.Context(), customHeader)
+	req = req.WithContext(ctx)
+
 	resp := httptest.NewRecorder()
 	pCtx := backend.PluginContext{}
 	err := hs.makePluginResourceRequest(resp, req, pCtx)
@@ -325,6 +332,7 @@ func TestMakePluginResourceRequest(t *testing.T) {
 	}
 
 	require.Equal(t, "sandbox", resp.Header().Get("Content-Security-Policy"))
+	require.Empty(t, req.Header.Get(customHeader))
 }
 
 func callGetPluginAsset(sc *scenarioContext) {