_Bastler/partey_workadventure
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Adding a warning regarding the "controlled" XSS in iframe.html

Browse Source
This commit is contained in:
David Négrier 2021-06-28 13:55:17 +02:00
parent 7f79c2dc4a
commit 303d2a7837
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
maps/tests/iframe.html
View File

@ -1,12 +1,11 @@
<!doctype html> <!doctype html>
<html lang="en"> <html lang="en">
<head> <head>
<script> <script>
var script = document.createElement('script'); var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js'); script.setAttribute('src', document.referrer + 'iframe_api.js');
script.defer = false;
script.async = false;
document.head.appendChild(script); document.head.appendChild(script);
</script> </script>
</head> </head>