Fixed potential injection by switching map container to PHP

Some HTML files were importing iframe_api.js automatically by detecting the referrer document.

While this was done in a safe way (the map container does not use cookies), it is not
a best practice to load a script originating from document.referrer.

This PR solves the issue by using PHP to inject the correct domain name in the HTML files.

deeployer.libsonnet

@@ -101,7 +101,10 @@
       "host": {
         "url": "maps-"+url
       },
-      "ports": [80]
+      "ports": [80],
+      "env": {
+          "FRONT_URL": "https://play-"+url
+      }
     },
     "redis": {
       "image": "redis:6",

docker-compose.single-domain.yaml

@@ -92,11 +92,12 @@ services:
       - "traefik.http.routers.pusher-ssl.service=pusher"
 
   maps:
-    image: thecodingmachine/nodejs:12-apache
+    image: thecodingmachine/php:8.1-v4-apache-node12
     environment:
       DEBUG_MODE: "$DEBUG_MODE"
       HOST: "0.0.0.0"
       NODE_ENV: development
+      FRONT_URL: http://play.workadventure.localhost
       #APACHE_DOCUMENT_ROOT: dist/
       #APACHE_EXTENSIONS: headers
       #APACHE_EXTENSION_HEADERS: 1

docker-compose.yaml

@@ -96,11 +96,12 @@ services:
       - "traefik.http.routers.pusher-ssl.service=pusher"
 
   maps:
-    image: thecodingmachine/nodejs:12-apache
+    image: thecodingmachine/php:8.1-v4-apache-node12
     environment:
       DEBUG_MODE: "$DEBUG_MODE"
       HOST: "0.0.0.0"
       NODE_ENV: development
+      FRONT_URL: http://play.workadventure.localhost
       #APACHE_DOCUMENT_ROOT: dist/
       #APACHE_EXTENSIONS: headers
       #APACHE_EXTENSION_HEADERS: 1

maps/tests/EmbeddedWebsite/website_in_map_script.json

@@ -12,7 +12,7 @@
                 {
                  "name":"openWebsite",
                  "type":"string",
-                 "value":"website_in_map_script.html"
+                 "value":"website_in_map_script.php"
                 },
                 {
                  "name":"openWebsiteAllowApi",

maps/tests/EmbeddedWebsite/website_in_map_script.php

@@ -1,12 +1,8 @@
 <!doctype html>
 <html lang="en">
 <head>
+    <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
     <script>
-        var script = document.createElement('script');
-        // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
-        // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
-        script.setAttribute('src', document.referrer + 'iframe_api.js');
-        document.head.appendChild(script);
         window.addEventListener('load', () => {
             console.log('On load');
             WA.onInit().then(() => {

maps/tests/Metadata/cowebsiteAllowApi.html

@@ -1,18 +0,0 @@
-<!doctype html>
-<html lang="en">
-    <head>
-        <script>
-            var script = document.createElement('script');
-            // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
-            // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
-            script.setAttribute('src', document.referrer + 'iframe_api.js');
-            document.head.appendChild(script);
-            window.addEventListener('load', () => {
-                WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
-            })
-        </script>
-    </head>
-    <body>
-        <p>Website opened by script.</p>
-    </body>
-</html>

maps/tests/Metadata/cowebsiteAllowApi.js

@@ -1 +1 @@
-WA.nav.openCoWebSite("cowebsiteAllowApi.html", true, "");
+WA.nav.openCoWebSite("cowebsiteAllowApi.php", true, "");

maps/tests/Metadata/cowebsiteAllowApi.php

@@ -0,0 +1,14 @@
+<!doctype html>
+<html lang="en">
+    <head>
+        <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
+        <script>
+            window.addEventListener('load', () => {
+                WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
+            })
+        </script>
+    </head>
+    <body>
+        <p>Website opened by script.</p>
+    </body>
+</html>

maps/tests/Metadata/customIframeMenuApi.html

@@ -1,20 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <title>API in iframe menu</title>
-  <script>
-    var script = document.createElement('script');
-    // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
-    // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
-    script.setAttribute('src', document.referrer + 'iframe_api.js');
-    document.head.appendChild(script);
-    window.addEventListener('load', () => {
-      WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
-    })
-  </script>
-</head>
-<body style="text-align: center">
-    <p style="color: whitesmoke">This is an iframe in a custom menu.</p>
-</body>
-</html>

maps/tests/Metadata/customIframeMenuApi.php

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>API in iframe menu</title>
+    <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
+    <script>
+    window.addEventListener('load', () => {
+      WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
+    })
+    </script>
+</head>
+<body style="text-align: center">
+    <p style="color: whitesmoke">This is an iframe in a custom menu.</p>
+</body>
+</html>

maps/tests/Metadata/customMenu.html

@@ -1,18 +0,0 @@
-<!doctype html>
-<html lang="en">
-<head>
-    <script>
-        var script = document.createElement('script');
-        // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
-        // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
-        script.setAttribute('src', document.referrer + 'iframe_api.js');
-        document.head.appendChild(script);
-        window.addEventListener('load', () => {
-            WA.ui.registerMenuCommand('test', 'customIframeMenu.html', {autoClose: true});
-        })
-    </script>
-</head>
-<body>
-    <p>Add a custom menu</p>
-</body>
-</html>

maps/tests/Metadata/customMenu.js

@@ -7,7 +7,7 @@ WA.ui.registerMenuCommand('custom callback menu', () => {
 WA.ui.registerMenuCommand('custom iframe menu', {iframe: 'customIframeMenu.html'});
 
 WA.room.onEnterZone('iframeMenu', () => {
-    menuIframeApi = WA.ui.registerMenuCommand('IFRAME USE API', {iframe: 'customIframeMenuApi.html', allowApi: true});
+    menuIframeApi = WA.ui.registerMenuCommand('IFRAME USE API', {iframe: 'customIframeMenuApi.php', allowApi: true});
 })
 
 WA.room.onLeaveZone('iframeMenu', () => {

maps/tests/Metadata/customMenu.json

@@ -54,7 +54,7 @@
         {
           "name":"openWebsite",
           "type":"string",
-          "value":"customMenu.html"
+          "value":"customMenu.php"
         },
         {
           "name":"openWebsiteAllowApi",

maps/tests/Metadata/customMenu.php

@@ -0,0 +1,14 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
+    <script>
+        window.addEventListener('load', () => {
+            WA.ui.registerMenuCommand('test', 'customIframeMenu.html', {autoClose: true});
+        })
+    </script>
+</head>
+<body>
+    <p>Add a custom menu</p>
+</body>
+</html>

maps/tests/Metadata/playerMove.html

@@ -1,18 +0,0 @@
-<!doctype html>
-<html lang="en">
-    <head>
-        <script>
-            var script = document.createElement('script');
-            // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
-            // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
-            script.setAttribute('src', document.referrer + 'iframe_api.js');
-            document.head.appendChild(script);
-            window.addEventListener('load', () => {
-                WA.player.onPlayerMove(console.log);
-            })
-        </script>
-    </head>
-    <body>
-        <p>Log in the console the movement of the current player in the zone of the iframe</p>
-    </body>
-</html>

maps/tests/Metadata/playerMove.json

@@ -36,7 +36,7 @@
                 {
                  "name":"openWebsite",
                  "type":"string",
-                 "value":"playerMove.html"
+                 "value":"playerMove.php"
                 },
                 {
                  "name":"openWebsiteAllowApi",

maps/tests/Metadata/playerMove.php

@@ -0,0 +1,14 @@
+<!doctype html>
+<html lang="en">
+    <head>
+        <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
+        <script>
+            window.addEventListener('load', () => {
+                WA.player.onPlayerMove(console.log);
+            })
+        </script>
+    </head>
+    <body>
+        <p>Log in the console the movement of the current player in the zone of the iframe</p>
+    </body>
+</html>

maps/tests/Metadata/setProperty.json

@@ -36,7 +36,7 @@
                 {
                  "name":"openWebsite",
                  "type":"string",
-                 "value":"setProperty.html"
+                 "value":"setProperty.php"
                 },
                 {
                  "name":"openWebsiteAllowApi",

maps/tests/Metadata/setProperty.php

@@ -1,12 +1,8 @@
 <!doctype html>
 <html lang="en">
     <head>
+        <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
         <script>
-            var script = document.createElement('script');
-            // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
-            // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
-            script.setAttribute('src', document.referrer + 'iframe_api.js');
-            document.head.appendChild(script);
             window.addEventListener('load', () => {
                 WA.room.setProperty('iframeTest', 'openWebsite', 'https://www.wikipedia.org/');
                 WA.room.setProperty('metadata', 'openWebsite', 'https://www.wikipedia.org/');

maps/tests/Metadata/setTiles.html

@@ -1,12 +1,8 @@
 <!doctype html>
 <html lang="en">
     <head>
+        <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
         <script>
-            var script = document.createElement('script');
-            // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
-            // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
-            script.setAttribute('src', document.referrer + 'iframe_api.js');
-            document.head.appendChild(script);
 
             window.addEventListener('load', () => {
                 WA.room.setTiles([

maps/tests/Metadata/setTiles.json

@@ -43,7 +43,7 @@
                 {
                  "name":"openWebsite",
                  "type":"string",
-                 "value":"setTiles.html"
+                 "value":"setTiles.php"
                 },
                 {
                  "name":"openWebsiteAllowApi",

maps/tests/Metadata/showHideLayer.html

@@ -1,12 +1,8 @@
 <!doctype html>
 <html lang="en">
     <head>
+        <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
         <script>
-            var script = document.createElement('script');
-            // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
-            // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
-            script.setAttribute('src', document.referrer + 'iframe_api.js');
-            document.head.appendChild(script);
             window.addEventListener('load', () => {
                 document.getElementById('show/hideLayer').onclick = () => {
                     if (document.getElementById('show/hideLayer').checked) {

maps/tests/Metadata/showHideLayer.json

@@ -48,7 +48,7 @@
                 {
                  "name":"openWebsite",
                  "type":"string",
-                 "value":"showHideLayer.html"
+                 "value":"showHideLayer.php"
                 },
                 {
                  "name":"openWebsiteAllowApi",

maps/tests/Variables/shared_variables.json

@@ -12,7 +12,7 @@
                 {
                  "name":"openWebsite",
                  "type":"string",
-                 "value":"shared_variables.html"
+                 "value":"shared_variables.php"
                 },
                 {
                  "name":"openWebsiteAllowApi",

maps/tests/Variables/shared_variables.php

@@ -1,12 +1,8 @@
 <!doctype html>
 <html lang="en">
 <head>
+    <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
     <script>
-        var script = document.createElement('script');
-        // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
-        // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
-        script.setAttribute('src', document.referrer + 'iframe_api.js');
-        document.head.appendChild(script);
         window.addEventListener('load', () => {
             console.log('On load');
             WA.onInit().then(() => {

maps/tests/iframe.php

@@ -1,13 +1,7 @@
 <!doctype html>
 <html lang="en">
     <head>
-        <script>
-            var script = document.createElement('script');
-            // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
-            // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
-            script.setAttribute('src', document.referrer + 'iframe_api.js');
-            document.head.appendChild(script);
-        </script>
+        <script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
     </head>
     <body>
         <button id="sendchat">Send chat message</button>

maps/tests/iframe_api.json

@@ -43,7 +43,7 @@
                 {
                  "name":"openWebsite",
                  "type":"string",
-                 "value":"iframe.html"
+                 "value":"iframe.php"
                 },
                 {
                  "name":"openWebsiteAllowApi",