remove iframe.html

front/Dockerfile

@@ -14,10 +14,6 @@ RUN cp -r ../messages/JsonMessages/* src/Messages/JsonMessages
 
 RUN yarn install && yarn run typesafe-i18n && yarn run build-iframe-api && yarn build
 
-# Removing the iframe.html file from the final image as this adds a XSS attack.
-# iframe.html is only in dev mode to circumvent a limitation
-RUN rm dist/iframe.html
-
 FROM thecodingmachine/nodejs:14-apache
 
 COPY --from=builder --chown=docker:docker /usr/src/front/dist dist

front/public/iframe.html

@@ -1,21 +0,0 @@
-<!doctype html>
-<html lang="en">
-<head>
-    <script src="/iframe_api.js" ></script>
-    <script>
-        // Note: this is a huge XSS flow as we allow anyone to load a Javascript file in our domain.
-        // This file must ABSOLUTELY be removed from the Docker images/deployments and is only here
-        // for development purpose (because dynamically generated iframes are not working with
-        // webpack hot reload due to an issue with rights)
-        const urlParams = new URLSearchParams(window.location.search);
-        const scriptUrl = urlParams.get('script');
-        const script = document.createElement('script');
-        script.src = scriptUrl;
-
-        if (urlParams.get('moduleMode') === 'true') {
-            script.type = "module";
-        }
-        document.head.append(script);
-    </script>
-    </head>
-</html>

front/src/Api/IframeListener.ts

@@ -289,68 +289,42 @@ class IframeListener {
         return new Promise<void>((resolve, reject) => {
             console.info("Loading map related script at ", scriptUrl);
 
-            if (!process.env.NODE_ENV || process.env.NODE_ENV === "development") {
+            const iframe = document.createElement("iframe");
-                // Using external iframe mode (
+            iframe.id = IframeListener.getIFrameId(scriptUrl);
-                const iframe = document.createElement("iframe");
+            iframe.style.display = "none";
-                iframe.id = IframeListener.getIFrameId(scriptUrl);
-                iframe.style.display = "none";
-                iframe.src =
-                    "/iframe.html?script=" +
-                    encodeURIComponent(scriptUrl) +
-                    "&moduleMode=" +
-                    (enableModuleMode ? "true" : "false");
 
-                // We are putting a sandbox on this script because it will run in the same domain as the main website.
+            // We are putting a sandbox on this script because it will run in the same domain as the main website.
-                iframe.sandbox.add("allow-scripts");
+            iframe.sandbox.add("allow-scripts");
-                iframe.sandbox.add("allow-top-navigation-by-user-activation");
+            iframe.sandbox.add("allow-top-navigation-by-user-activation");
 
-                iframe.addEventListener("load", () => {
+            //iframe.src = "data:text/html;charset=utf-8," + escape(html);
-                    resolve();
+            iframe.srcdoc =
-                });
+                "<!doctype html>\n" +
+                "\n" +
+                '<html lang="en">\n' +
+                "<head>\n" +
+                '<script src="' +
+                window.location.protocol +
+                "//" +
+                window.location.host +
+                '/iframe_api.js" ></script>\n' +
+                "<script " +
+                (enableModuleMode ? 'type="module" ' : "") +
+                'src="' +
+                scriptUrl +
+                '" ></script>\n' +
+                "<title></title>\n" +
+                "</head>\n" +
+                "</html>\n";
 
-                document.body.prepend(iframe);
+            iframe.addEventListener("load", () => {
+                resolve();
+            });
 
-                this.scripts.set(scriptUrl, iframe);
+            document.body.prepend(iframe);
-                this.registerIframe(iframe);
-            } else {
-                // production code
-                const iframe = document.createElement("iframe");
-                iframe.id = IframeListener.getIFrameId(scriptUrl);
-                iframe.style.display = "none";
 
-                // We are putting a sandbox on this script because it will run in the same domain as the main website.
+            this.scripts.set(scriptUrl, iframe);
-                iframe.sandbox.add("allow-scripts");
+            this.registerIframe(iframe);
-                iframe.sandbox.add("allow-top-navigation-by-user-activation");
-
-                //iframe.src = "data:text/html;charset=utf-8," + escape(html);
-                iframe.srcdoc =
-                    "<!doctype html>\n" +
-                    "\n" +
-                    '<html lang="en">\n' +
-                    "<head>\n" +
-                    '<script src="' +
-                    window.location.protocol +
-                    "//" +
-                    window.location.host +
-                    '/iframe_api.js" ></script>\n' +
-                    "<script " +
-                    (enableModuleMode ? 'type="module" ' : "") +
-                    'src="' +
-                    scriptUrl +
-                    '" ></script>\n' +
-                    "<title></title>\n" +
-                    "</head>\n" +
-                    "</html>\n";
-
-                iframe.addEventListener("load", () => {
-                    resolve();
-                });
-
-                document.body.prepend(iframe);
-
-                this.scripts.set(scriptUrl, iframe);
-                this.registerIframe(iframe);
-            }
         });
     }