Fixed potential injection by switching map container to PHP
Some HTML files were importing iframe_api.js automatically by detecting the referrer document. While this was done in a safe way (the map container does not use cookies), it is not a best practice to load a script originating from document.referrer. This PR solves the issue by using PHP to inject the correct domain name in the HTML files.
This commit is contained in:
parent
233c3d1abe
commit
41fd848fa0
@ -101,7 +101,10 @@
|
||||
"host": {
|
||||
"url": "maps-"+url
|
||||
},
|
||||
"ports": [80]
|
||||
"ports": [80],
|
||||
"env": {
|
||||
"FRONT_URL": "https://play-"+url
|
||||
}
|
||||
},
|
||||
"redis": {
|
||||
"image": "redis:6",
|
||||
|
@ -92,11 +92,12 @@ services:
|
||||
- "traefik.http.routers.pusher-ssl.service=pusher"
|
||||
|
||||
maps:
|
||||
image: thecodingmachine/nodejs:12-apache
|
||||
image: thecodingmachine/php:8.1-v4-apache-node12
|
||||
environment:
|
||||
DEBUG_MODE: "$DEBUG_MODE"
|
||||
HOST: "0.0.0.0"
|
||||
NODE_ENV: development
|
||||
FRONT_URL: http://play.workadventure.localhost
|
||||
#APACHE_DOCUMENT_ROOT: dist/
|
||||
#APACHE_EXTENSIONS: headers
|
||||
#APACHE_EXTENSION_HEADERS: 1
|
||||
|
@ -96,11 +96,12 @@ services:
|
||||
- "traefik.http.routers.pusher-ssl.service=pusher"
|
||||
|
||||
maps:
|
||||
image: thecodingmachine/nodejs:12-apache
|
||||
image: thecodingmachine/php:8.1-v4-apache-node12
|
||||
environment:
|
||||
DEBUG_MODE: "$DEBUG_MODE"
|
||||
HOST: "0.0.0.0"
|
||||
NODE_ENV: development
|
||||
FRONT_URL: http://play.workadventure.localhost
|
||||
#APACHE_DOCUMENT_ROOT: dist/
|
||||
#APACHE_EXTENSIONS: headers
|
||||
#APACHE_EXTENSION_HEADERS: 1
|
||||
|
@ -12,8 +12,8 @@
|
||||
{
|
||||
"name":"openWebsite",
|
||||
"type":"string",
|
||||
"value":"website_in_map_script.html"
|
||||
},
|
||||
"value":"website_in_map_script.php"
|
||||
},
|
||||
{
|
||||
"name":"openWebsiteAllowApi",
|
||||
"type":"bool",
|
||||
@ -24,7 +24,7 @@
|
||||
"width":30,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
|
||||
"height":30,
|
||||
@ -36,7 +36,7 @@
|
||||
"width":30,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"draworder":"topdown",
|
||||
"id":3,
|
||||
@ -90,4 +90,4 @@
|
||||
"type":"map",
|
||||
"version":1.5,
|
||||
"width":30
|
||||
}
|
||||
}
|
||||
|
@ -1,12 +1,8 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
|
||||
<script>
|
||||
var script = document.createElement('script');
|
||||
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
|
||||
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
|
||||
script.setAttribute('src', document.referrer + 'iframe_api.js');
|
||||
document.head.appendChild(script);
|
||||
window.addEventListener('load', () => {
|
||||
console.log('On load');
|
||||
WA.onInit().then(() => {
|
@ -1,18 +0,0 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<script>
|
||||
var script = document.createElement('script');
|
||||
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
|
||||
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
|
||||
script.setAttribute('src', document.referrer + 'iframe_api.js');
|
||||
document.head.appendChild(script);
|
||||
window.addEventListener('load', () => {
|
||||
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
|
||||
})
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<p>Website opened by script.</p>
|
||||
</body>
|
||||
</html>
|
@ -1 +1 @@
|
||||
WA.nav.openCoWebSite("cowebsiteAllowApi.html", true, "");
|
||||
WA.nav.openCoWebSite("cowebsiteAllowApi.php", true, "");
|
||||
|
14
maps/tests/Metadata/cowebsiteAllowApi.php
Normal file
14
maps/tests/Metadata/cowebsiteAllowApi.php
Normal file
@ -0,0 +1,14 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
|
||||
<script>
|
||||
window.addEventListener('load', () => {
|
||||
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
|
||||
})
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<p>Website opened by script.</p>
|
||||
</body>
|
||||
</html>
|
@ -1,20 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<title>API in iframe menu</title>
|
||||
<script>
|
||||
var script = document.createElement('script');
|
||||
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
|
||||
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
|
||||
script.setAttribute('src', document.referrer + 'iframe_api.js');
|
||||
document.head.appendChild(script);
|
||||
window.addEventListener('load', () => {
|
||||
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
|
||||
})
|
||||
</script>
|
||||
</head>
|
||||
<body style="text-align: center">
|
||||
<p style="color: whitesmoke">This is an iframe in a custom menu.</p>
|
||||
</body>
|
||||
</html>
|
16
maps/tests/Metadata/customIframeMenuApi.php
Normal file
16
maps/tests/Metadata/customIframeMenuApi.php
Normal file
@ -0,0 +1,16 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<title>API in iframe menu</title>
|
||||
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
|
||||
<script>
|
||||
window.addEventListener('load', () => {
|
||||
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
|
||||
})
|
||||
</script>
|
||||
</head>
|
||||
<body style="text-align: center">
|
||||
<p style="color: whitesmoke">This is an iframe in a custom menu.</p>
|
||||
</body>
|
||||
</html>
|
@ -1,18 +0,0 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<script>
|
||||
var script = document.createElement('script');
|
||||
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
|
||||
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
|
||||
script.setAttribute('src', document.referrer + 'iframe_api.js');
|
||||
document.head.appendChild(script);
|
||||
window.addEventListener('load', () => {
|
||||
WA.ui.registerMenuCommand('test', 'customIframeMenu.html', {autoClose: true});
|
||||
})
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<p>Add a custom menu</p>
|
||||
</body>
|
||||
</html>
|
@ -7,9 +7,9 @@ WA.ui.registerMenuCommand('custom callback menu', () => {
|
||||
WA.ui.registerMenuCommand('custom iframe menu', {iframe: 'customIframeMenu.html'});
|
||||
|
||||
WA.room.onEnterZone('iframeMenu', () => {
|
||||
menuIframeApi = WA.ui.registerMenuCommand('IFRAME USE API', {iframe: 'customIframeMenuApi.html', allowApi: true});
|
||||
menuIframeApi = WA.ui.registerMenuCommand('IFRAME USE API', {iframe: 'customIframeMenuApi.php', allowApi: true});
|
||||
})
|
||||
|
||||
WA.room.onLeaveZone('iframeMenu', () => {
|
||||
menuIframeApi.remove();
|
||||
})
|
||||
})
|
||||
|
@ -54,7 +54,7 @@
|
||||
{
|
||||
"name":"openWebsite",
|
||||
"type":"string",
|
||||
"value":"customMenu.html"
|
||||
"value":"customMenu.php"
|
||||
},
|
||||
{
|
||||
"name":"openWebsiteAllowApi",
|
||||
@ -97,4 +97,4 @@
|
||||
"type":"map",
|
||||
"version":"1.6",
|
||||
"width":10
|
||||
}
|
||||
}
|
||||
|
14
maps/tests/Metadata/customMenu.php
Normal file
14
maps/tests/Metadata/customMenu.php
Normal file
@ -0,0 +1,14 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
|
||||
<script>
|
||||
window.addEventListener('load', () => {
|
||||
WA.ui.registerMenuCommand('test', 'customIframeMenu.html', {autoClose: true});
|
||||
})
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<p>Add a custom menu</p>
|
||||
</body>
|
||||
</html>
|
@ -1,18 +0,0 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<script>
|
||||
var script = document.createElement('script');
|
||||
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
|
||||
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
|
||||
script.setAttribute('src', document.referrer + 'iframe_api.js');
|
||||
document.head.appendChild(script);
|
||||
window.addEventListener('load', () => {
|
||||
WA.player.onPlayerMove(console.log);
|
||||
})
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<p>Log in the console the movement of the current player in the zone of the iframe</p>
|
||||
</body>
|
||||
</html>
|
@ -13,7 +13,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[33, 34, 34, 34, 34, 34, 34, 34, 34, 35, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 49, 50, 50, 50, 50, 50, 50, 50, 50, 51],
|
||||
"height":10,
|
||||
@ -25,7 +25,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
|
||||
"height":10,
|
||||
@ -36,8 +36,8 @@
|
||||
{
|
||||
"name":"openWebsite",
|
||||
"type":"string",
|
||||
"value":"playerMove.html"
|
||||
},
|
||||
"value":"playerMove.php"
|
||||
},
|
||||
{
|
||||
"name":"openWebsiteAllowApi",
|
||||
"type":"bool",
|
||||
@ -48,7 +48,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"draworder":"topdown",
|
||||
"id":5,
|
||||
@ -105,7 +105,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":1,
|
||||
"properties":[
|
||||
@ -114,7 +114,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":2,
|
||||
"properties":[
|
||||
@ -123,7 +123,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":3,
|
||||
"properties":[
|
||||
@ -132,7 +132,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":4,
|
||||
"properties":[
|
||||
@ -141,7 +141,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":8,
|
||||
"properties":[
|
||||
@ -150,7 +150,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":9,
|
||||
"properties":[
|
||||
@ -159,7 +159,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":10,
|
||||
"properties":[
|
||||
@ -168,7 +168,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":11,
|
||||
"properties":[
|
||||
@ -177,7 +177,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":12,
|
||||
"properties":[
|
||||
@ -186,7 +186,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":16,
|
||||
"properties":[
|
||||
@ -195,7 +195,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":17,
|
||||
"properties":[
|
||||
@ -204,7 +204,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":18,
|
||||
"properties":[
|
||||
@ -213,7 +213,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":19,
|
||||
"properties":[
|
||||
@ -222,7 +222,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":20,
|
||||
"properties":[
|
||||
@ -233,7 +233,7 @@
|
||||
}]
|
||||
}],
|
||||
"tilewidth":32
|
||||
},
|
||||
},
|
||||
{
|
||||
"columns":8,
|
||||
"firstgid":65,
|
||||
@ -251,4 +251,4 @@
|
||||
"type":"map",
|
||||
"version":1.4,
|
||||
"width":10
|
||||
}
|
||||
}
|
||||
|
14
maps/tests/Metadata/playerMove.php
Normal file
14
maps/tests/Metadata/playerMove.php
Normal file
@ -0,0 +1,14 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
|
||||
<script>
|
||||
window.addEventListener('load', () => {
|
||||
WA.player.onPlayerMove(console.log);
|
||||
})
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<p>Log in the console the movement of the current player in the zone of the iframe</p>
|
||||
</body>
|
||||
</html>
|
@ -13,7 +13,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[33, 34, 34, 34, 34, 34, 34, 34, 34, 35, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 49, 50, 50, 50, 50, 50, 50, 50, 50, 51],
|
||||
"height":10,
|
||||
@ -25,7 +25,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
|
||||
"height":10,
|
||||
@ -36,8 +36,8 @@
|
||||
{
|
||||
"name":"openWebsite",
|
||||
"type":"string",
|
||||
"value":"setProperty.html"
|
||||
},
|
||||
"value":"setProperty.php"
|
||||
},
|
||||
{
|
||||
"name":"openWebsiteAllowApi",
|
||||
"type":"bool",
|
||||
@ -48,7 +48,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 101, 101, 101, 101, 101, 0, 0, 0, 0, 0, 101, 101, 101, 101, 101, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
|
||||
"height":10,
|
||||
@ -60,7 +60,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"draworder":"topdown",
|
||||
"id":5,
|
||||
@ -117,7 +117,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":1,
|
||||
"properties":[
|
||||
@ -126,7 +126,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":2,
|
||||
"properties":[
|
||||
@ -135,7 +135,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":3,
|
||||
"properties":[
|
||||
@ -144,7 +144,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":4,
|
||||
"properties":[
|
||||
@ -153,7 +153,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":8,
|
||||
"properties":[
|
||||
@ -162,7 +162,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":9,
|
||||
"properties":[
|
||||
@ -171,7 +171,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":10,
|
||||
"properties":[
|
||||
@ -180,7 +180,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":11,
|
||||
"properties":[
|
||||
@ -189,7 +189,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":12,
|
||||
"properties":[
|
||||
@ -198,7 +198,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":16,
|
||||
"properties":[
|
||||
@ -207,7 +207,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":17,
|
||||
"properties":[
|
||||
@ -216,7 +216,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":18,
|
||||
"properties":[
|
||||
@ -225,7 +225,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":19,
|
||||
"properties":[
|
||||
@ -234,7 +234,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":20,
|
||||
"properties":[
|
||||
@ -245,7 +245,7 @@
|
||||
}]
|
||||
}],
|
||||
"tilewidth":32
|
||||
},
|
||||
},
|
||||
{
|
||||
"columns":8,
|
||||
"firstgid":65,
|
||||
@ -263,4 +263,4 @@
|
||||
"type":"map",
|
||||
"version":1.4,
|
||||
"width":10
|
||||
}
|
||||
}
|
||||
|
@ -1,12 +1,8 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
|
||||
<script>
|
||||
var script = document.createElement('script');
|
||||
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
|
||||
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
|
||||
script.setAttribute('src', document.referrer + 'iframe_api.js');
|
||||
document.head.appendChild(script);
|
||||
window.addEventListener('load', () => {
|
||||
WA.room.setProperty('iframeTest', 'openWebsite', 'https://www.wikipedia.org/');
|
||||
WA.room.setProperty('metadata', 'openWebsite', 'https://www.wikipedia.org/');
|
||||
@ -16,4 +12,4 @@
|
||||
<body>
|
||||
<p>Change the url of this iframe and add the 'openWebsite' property to the red tile layer</p>
|
||||
</body>
|
||||
</html>
|
||||
</html>
|
@ -1,12 +1,8 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
|
||||
<script>
|
||||
var script = document.createElement('script');
|
||||
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
|
||||
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
|
||||
script.setAttribute('src', document.referrer + 'iframe_api.js');
|
||||
document.head.appendChild(script);
|
||||
|
||||
window.addEventListener('load', () => {
|
||||
WA.room.setTiles([
|
||||
|
@ -43,7 +43,7 @@
|
||||
{
|
||||
"name":"openWebsite",
|
||||
"type":"string",
|
||||
"value":"setTiles.html"
|
||||
"value":"setTiles.php"
|
||||
},
|
||||
{
|
||||
"name":"openWebsiteAllowApi",
|
||||
|
@ -1,12 +1,8 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
|
||||
<script>
|
||||
var script = document.createElement('script');
|
||||
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
|
||||
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
|
||||
script.setAttribute('src', document.referrer + 'iframe_api.js');
|
||||
document.head.appendChild(script);
|
||||
window.addEventListener('load', () => {
|
||||
document.getElementById('show/hideLayer').onclick = () => {
|
||||
if (document.getElementById('show/hideLayer').checked) {
|
||||
@ -24,4 +20,4 @@
|
||||
<label for="show/hideLayer">Crysal Layer : </label><input type="checkbox" id="show/hideLayer" name="visible" value="show" checked>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
</html>
|
||||
|
@ -13,7 +13,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[33, 34, 34, 34, 34, 34, 34, 34, 34, 35, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 49, 50, 50, 50, 50, 50, 50, 50, 50, 51],
|
||||
"height":10,
|
||||
@ -25,7 +25,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[22, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 22, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
|
||||
"height":10,
|
||||
@ -37,7 +37,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
|
||||
"height":10,
|
||||
@ -48,8 +48,8 @@
|
||||
{
|
||||
"name":"openWebsite",
|
||||
"type":"string",
|
||||
"value":"showHideLayer.html"
|
||||
},
|
||||
"value":"showHideLayer.php"
|
||||
},
|
||||
{
|
||||
"name":"openWebsiteAllowApi",
|
||||
"type":"bool",
|
||||
@ -60,7 +60,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"draworder":"topdown",
|
||||
"id":5,
|
||||
@ -117,7 +117,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":1,
|
||||
"properties":[
|
||||
@ -126,7 +126,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":2,
|
||||
"properties":[
|
||||
@ -135,7 +135,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":3,
|
||||
"properties":[
|
||||
@ -144,7 +144,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":4,
|
||||
"properties":[
|
||||
@ -153,7 +153,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":8,
|
||||
"properties":[
|
||||
@ -162,7 +162,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":9,
|
||||
"properties":[
|
||||
@ -171,7 +171,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":10,
|
||||
"properties":[
|
||||
@ -180,7 +180,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":11,
|
||||
"properties":[
|
||||
@ -189,7 +189,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":12,
|
||||
"properties":[
|
||||
@ -198,7 +198,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":16,
|
||||
"properties":[
|
||||
@ -207,7 +207,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":17,
|
||||
"properties":[
|
||||
@ -216,7 +216,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":18,
|
||||
"properties":[
|
||||
@ -225,7 +225,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":19,
|
||||
"properties":[
|
||||
@ -234,7 +234,7 @@
|
||||
"type":"bool",
|
||||
"value":true
|
||||
}]
|
||||
},
|
||||
},
|
||||
{
|
||||
"id":20,
|
||||
"properties":[
|
||||
@ -245,7 +245,7 @@
|
||||
}]
|
||||
}],
|
||||
"tilewidth":32
|
||||
},
|
||||
},
|
||||
{
|
||||
"columns":8,
|
||||
"firstgid":65,
|
||||
@ -263,4 +263,4 @@
|
||||
"type":"map",
|
||||
"version":1.4,
|
||||
"width":10
|
||||
}
|
||||
}
|
||||
|
@ -12,8 +12,8 @@
|
||||
{
|
||||
"name":"openWebsite",
|
||||
"type":"string",
|
||||
"value":"shared_variables.html"
|
||||
},
|
||||
"value":"shared_variables.php"
|
||||
},
|
||||
{
|
||||
"name":"openWebsiteAllowApi",
|
||||
"type":"bool",
|
||||
@ -24,7 +24,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
|
||||
"height":10,
|
||||
@ -36,7 +36,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"draworder":"topdown",
|
||||
"id":3,
|
||||
@ -59,7 +59,7 @@
|
||||
"width":252.4375,
|
||||
"x":2.78125,
|
||||
"y":2.5
|
||||
},
|
||||
},
|
||||
{
|
||||
"height":0,
|
||||
"id":5,
|
||||
@ -70,22 +70,22 @@
|
||||
"name":"default",
|
||||
"type":"string",
|
||||
"value":"default value"
|
||||
},
|
||||
},
|
||||
{
|
||||
"name":"jsonSchema",
|
||||
"type":"string",
|
||||
"value":"{}"
|
||||
},
|
||||
},
|
||||
{
|
||||
"name":"persist",
|
||||
"type":"bool",
|
||||
"value":true
|
||||
},
|
||||
},
|
||||
{
|
||||
"name":"readableBy",
|
||||
"type":"string",
|
||||
"value":""
|
||||
},
|
||||
},
|
||||
{
|
||||
"name":"writableBy",
|
||||
"type":"string",
|
||||
@ -128,4 +128,4 @@
|
||||
"type":"map",
|
||||
"version":1.5,
|
||||
"width":10
|
||||
}
|
||||
}
|
||||
|
@ -1,12 +1,8 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
|
||||
<script>
|
||||
var script = document.createElement('script');
|
||||
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
|
||||
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
|
||||
script.setAttribute('src', document.referrer + 'iframe_api.js');
|
||||
document.head.appendChild(script);
|
||||
window.addEventListener('load', () => {
|
||||
console.log('On load');
|
||||
WA.onInit().then(() => {
|
@ -1,13 +1,7 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<script>
|
||||
var script = document.createElement('script');
|
||||
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
|
||||
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
|
||||
script.setAttribute('src', document.referrer + 'iframe_api.js');
|
||||
document.head.appendChild(script);
|
||||
</script>
|
||||
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<button id="sendchat">Send chat message</button>
|
@ -20,7 +20,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
|
||||
"height":10,
|
||||
@ -32,7 +32,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 34, 34, 34, 34, 34, 0, 0, 0, 0, 0, 34, 34, 34, 34, 34, 0, 0, 0, 0, 0, 34, 34, 34, 34, 34, 0, 0, 0, 0, 0, 34, 34, 34, 34, 34, 0, 0, 0, 0, 0, 34, 34, 34, 34, 34, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
|
||||
"height":10,
|
||||
@ -43,8 +43,8 @@
|
||||
{
|
||||
"name":"openWebsite",
|
||||
"type":"string",
|
||||
"value":"iframe.html"
|
||||
},
|
||||
"value":"iframe.php"
|
||||
},
|
||||
{
|
||||
"name":"openWebsiteAllowApi",
|
||||
"type":"bool",
|
||||
@ -55,7 +55,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"data":[0, 0, 93, 0, 104, 0, 0, 0, 0, 0, 0, 0, 104, 0, 115, 0, 0, 0, 93, 0, 0, 0, 115, 0, 0, 0, 93, 0, 104, 0, 0, 0, 0, 0, 0, 0, 104, 0, 115, 93, 0, 0, 0, 0, 0, 0, 115, 0, 0, 104, 0, 0, 0, 0, 0, 0, 0, 0, 0, 115, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
|
||||
"height":10,
|
||||
@ -67,7 +67,7 @@
|
||||
"width":10,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
},
|
||||
{
|
||||
"draworder":"topdown",
|
||||
"id":3,
|
||||
@ -121,4 +121,4 @@
|
||||
"type":"map",
|
||||
"version":1.4,
|
||||
"width":10
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user