Fixed potential injection by switching map container to PHP

Some HTML files were importing iframe_api.js automatically by detecting the referrer document.

While this was done in a safe way (the map container does not use cookies), it is not
a best practice to load a script originating from document.referrer.

This PR solves the issue by using PHP to inject the correct domain name in the HTML files.

maps/tests/iframe.php

@@ -0,0 +1,24 @@
+<!doctype html>
+<html lang="en">
+    <head>
+        <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
+    </head>
+    <body>
+        <button id="sendchat">Send chat message</button>
+        <script>
+            document.getElementById('sendchat').onclick = () => {
+                WA.chat.sendChatMessage('Hello world!', 'Mr ROBOT');
+            }
+        </script>
+        <div id="chatSent"></div>
+        <script>
+            window.addEventListener('load', () => {
+                WA.chat.onChatMessage((message => {
+                    const chatDiv = document.createElement('p');
+                    chatDiv.innerText = message;
+                    document.getElementById('chatSent').append(chatDiv);
+                }));
+            })
+        </script>
+    </body>
+</html>