From 9425fd70c00edc6b6e1365bbee0aab6521c8ec41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20N=C3=A9grier?= Date: Wed, 12 Jan 2022 17:22:41 +0100 Subject: [PATCH] Adding a new property to prevent script from being loaded in "modules" mode Scripts in module mode need to be abide by the Same Origin Policy (CORS headers are used to load them) This can cause issues on some setups. This commit adds a new "scriptDisableModuleSupport" that can be used to disable the "modules" mode. Closes #1721 --- docs/maps/hosting.md | 5 ++ docs/maps/menu.php | 8 +- docs/maps/scripting-internals.md | 62 +++++++++++++++ docs/maps/scripting.md | 19 ++++- front/dist/iframe.html | 5 +- front/src/Api/IframeListener.ts | 12 ++- front/src/Phaser/Game/GameMapProperties.ts | 1 + front/src/Phaser/Game/GameScene.ts | 5 +- maps/tests/Modules/module.js | 1 + maps/tests/Modules/script.js | 3 + maps/tests/Modules/with_modules.json | 88 ++++++++++++++++++++ maps/tests/Modules/without_modules.json | 93 ++++++++++++++++++++++ maps/tests/index.html | 16 ++++ tests/tests/modules.ts | 44 ++++++++++ 14 files changed, 353 insertions(+), 9 deletions(-) create mode 100644 docs/maps/scripting-internals.md create mode 100644 maps/tests/Modules/module.js create mode 100644 maps/tests/Modules/script.js create mode 100644 maps/tests/Modules/with_modules.json create mode 100644 maps/tests/Modules/without_modules.json create mode 100644 tests/tests/modules.ts diff --git a/docs/maps/hosting.md b/docs/maps/hosting.md index cd3d310d..b0d8bc22 100644 --- a/docs/maps/hosting.md +++ b/docs/maps/hosting.md @@ -12,6 +12,11 @@ If you decide to host your maps on your own webserver, you must **configure CORS CORS headers ([Cross Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)) are useful when a website want to make some resources accessible to another website. This is exactly what we want to do. We want the map you are designing to be accessible from the WorkAdventure domain (`play.workadventu.re`). +{.alert.alert-warning} +If you are using the "scripting API", only allowing the `play.workadventu.re` will not be enough. You will need to allow `*` +as a domain in order to be able to load scripts. If for some reason, you cannot or do not want to allow `*` as a domain, please +read the [scripting internals](scripting-internals.md) guide for alternatives. + ### Enabling CORS for Apache In order to enable CORS in your Apache configuration, you will need to ensure the `headers` module is enabled. diff --git a/docs/maps/menu.php b/docs/maps/menu.php index 10a2f4c5..b8d0e638 100644 --- a/docs/maps/menu.php +++ b/docs/maps/menu.php @@ -149,7 +149,13 @@ return [ ], ] ], - $extraUtilsMenu + $extraUtilsMenu, + [ + 'title' => 'Scripting internals', + 'url' => '/map-building/scripting-internals.md', + 'markdown' => 'maps.scripting-internals', + 'editUrl' => 'https://github.com/thecodingmachine/workadventure/edit/develop/docs/maps/scripting-internals.md', + ], ] ], [ diff --git a/docs/maps/scripting-internals.md b/docs/maps/scripting-internals.md new file mode 100644 index 00000000..65bd9850 --- /dev/null +++ b/docs/maps/scripting-internals.md @@ -0,0 +1,62 @@ +{.section-title.accent.text-primary} +# Scripting internals + +Internally, scripts are always loaded inside `iframes`. + +You can load a script: + +1. Using the [`script` property in your map properties](scripting.md#adding-a-script-in-the-map) +2. or from an iframe [opened as a co-website](scripting.md#adding-a-script-in-an-iframe) or [embedded in the map](website-in-map.md#allowing-the-scripting-api-in-your-iframe) + +## Script restrictions + +If you load a script using the `script` property in your map properties (solution 1), you need to understand that +WorkAdventure will generate an iframe, and will load the script inside this iframe. + +Things you should know: + +{.alert.alert-warning} +The [iframe is sandboxed](https://blog.dareboost.com/en/2015/07/securing-iframe-sandbox-attribute/) + +This means that the iframe is generated with: + +``` +