<!doctype html>
<html lang="en">
<head>
    <script src="/iframe_api.js" ></script>
    <script>
        // Note: this is a huge XSS flow as we allow anyone to load a Javascript file in our domain.
        // This file must ABSOLUTELY be removed from the Docker images/deployments and is only here
        // for development purpose (because dynamically generated iframes are not working with
        // webpack hot reload due to an issue with rights)
        const urlParams = new URLSearchParams(window.location.search);
        const scriptUrl = urlParams.get('script');
        const script = document.createElement('script');
        script.src = scriptUrl;
        document.head.append(script);
    </script>
    </head>
</html>