Fixed potential injection by switching map container to PHP

Some HTML files were importing iframe_api.js automatically by detecting the referrer document. While this was done in a safe way (the map container does not use cookies), it is not a best practice to load a script originating from document.referrer. This PR solves the issue by using PHP to inject the correct domain name in the HTML files.
2021-11-29 19:05:13 +01:00 · 2021-11-29 19:05:13 +01:00 · 41fd848fa0
commit 41fd848fa0
parent 233c3d1abe
27 changed files with 167 additions and 204 deletions
--- a/maps/tests/Metadata/setTiles.html
+++ b/maps/tests/Metadata/setTiles.html
@ -1,12 +1,8 @@
 <!doctype html>
 <html lang="en">
    <head>
+        <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
        <script>
-            var script = document.createElement('script');
-            // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
-            // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
-            script.setAttribute('src', document.referrer + 'iframe_api.js');
-            document.head.appendChild(script);

            window.addEventListener('load', () => {
                WA.room.setTiles([