Fixed potential injection by switching map container to PHP
Some HTML files were importing iframe_api.js automatically by detecting the referrer document. While this was done in a safe way (the map container does not use cookies), it is not a best practice to load a script originating from document.referrer. This PR solves the issue by using PHP to inject the correct domain name in the HTML files.
This commit is contained in:
David Négrier
parent
233c3d1abe
commit
41fd848fa0
27 changed files with 167 additions and 204 deletions
16
maps/tests/Metadata/customIframeMenuApi.php
Normal file
16
maps/tests/Metadata/customIframeMenuApi.php
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<title>API in iframe menu</title>
|
||||
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
|
||||
<script>
|
||||
window.addEventListener('load', () => {
|
||||
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
|
||||
})
|
||||
</script>
|
||||
</head>
|
||||
<body style="text-align: center">
|
||||
<p style="color: whitesmoke">This is an iframe in a custom menu.</p>
|
||||
</body>
|
||||
</html>
|
||||
Loading…
Add table
Add a link
Reference in a new issue