Fixed potential injection by switching map container to PHP

Some HTML files were importing iframe_api.js automatically by detecting the referrer document. While this was done in a safe way (the map container does not use cookies), it is not a best practice to load a script originating from document.referrer. This PR solves the issue by using PHP to inject the correct domain name in the HTML files.
2021-11-29 19:05:13 +01:00
parent 233c3d1abe
commit 41fd848fa0
27 changed files with 167 additions and 204 deletions
@@ -0,0 +1,15 @@
+<!doctype html>
+<html lang="en">
+    <head>
+        <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
+        <script>
+            window.addEventListener('load', () => {
+                WA.room.setProperty('iframeTest', 'openWebsite', 'https://www.wikipedia.org/');
+                WA.room.setProperty('metadata', 'openWebsite', 'https://www.wikipedia.org/');
+            })
+        </script>
+    </head>
+    <body>
+        <p>Change the url of this iframe and add the 'openWebsite' property to the red tile layer</p>
+    </body>
+</html>