remove iframe.html

2022-02-15 20:19:45 +01:00 · 2022-02-15 20:19:45 +01:00 · 620e218612
commit 620e218612
parent 8c96a986fb
3 changed files with 31 additions and 82 deletions
--- a/front/Dockerfile
+++ b/front/Dockerfile
@ -14,10 +14,6 @@ RUN cp -r ../messages/JsonMessages/* src/Messages/JsonMessages

 RUN yarn install && yarn run typesafe-i18n && yarn run build-iframe-api && yarn build

-# Removing the iframe.html file from the final image as this adds a XSS attack.
-# iframe.html is only in dev mode to circumvent a limitation
-RUN rm dist/iframe.html
-
 FROM thecodingmachine/nodejs:14-apache

 COPY --from=builder --chown=docker:docker /usr/src/front/dist dist
--- a/front/public/iframe.html
+++ b/front/public/iframe.html
@ -1,21 +0,0 @@
-<!doctype html>
-<html lang="en">
-<head>
-    <script src="/iframe_api.js" ></script>
-    <script>
-        // Note: this is a huge XSS flow as we allow anyone to load a Javascript file in our domain.
-        // This file must ABSOLUTELY be removed from the Docker images/deployments and is only here
-        // for development purpose (because dynamically generated iframes are not working with
-        // webpack hot reload due to an issue with rights)
-        const urlParams = new URLSearchParams(window.location.search);
-        const scriptUrl = urlParams.get('script');
-        const script = document.createElement('script');
-        script.src = scriptUrl;
-
-        if (urlParams.get('moduleMode') === 'true') {
-            script.type = "module";
-        }
-        document.head.append(script);
-    </script>
-    </head>
-</html>
--- a/front/src/Api/IframeListener.ts
+++ b/front/src/Api/IframeListener.ts
@ -289,31 +289,6 @@ class IframeListener {
        return new Promise<void>((resolve, reject) => {
            console.info("Loading map related script at ", scriptUrl);

-            if (!process.env.NODE_ENV || process.env.NODE_ENV === "development") {
-                // Using external iframe mode (
-                const iframe = document.createElement("iframe");
-                iframe.id = IframeListener.getIFrameId(scriptUrl);
-                iframe.style.display = "none";
-                iframe.src =
-                    "/iframe.html?script=" +
-                    encodeURIComponent(scriptUrl) +
-                    "&moduleMode=" +
-                    (enableModuleMode ? "true" : "false");
-
-                // We are putting a sandbox on this script because it will run in the same domain as the main website.
-                iframe.sandbox.add("allow-scripts");
-                iframe.sandbox.add("allow-top-navigation-by-user-activation");
-
-                iframe.addEventListener("load", () => {
-                    resolve();
-                });
-
-                document.body.prepend(iframe);
-
-                this.scripts.set(scriptUrl, iframe);
-                this.registerIframe(iframe);
-            } else {
-                // production code
            const iframe = document.createElement("iframe");
            iframe.id = IframeListener.getIFrameId(scriptUrl);
            iframe.style.display = "none";
@ -350,7 +325,6 @@ class IframeListener {

            this.scripts.set(scriptUrl, iframe);
            this.registerIframe(iframe);
-            }
        });
    }