partey_workadventure/front/dist/iframe.html
David Négrier 9425fd70c0 Adding a new property to prevent script from being loaded in "modules" mode
Scripts in module mode need to be abide by the Same Origin Policy (CORS headers are used to load them)
This can cause issues on some setups.

This commit adds a new "scriptDisableModuleSupport" that can be used to disable the "modules" mode.

Closes 
2022-01-12 17:36:31 +01:00

22 lines
836 B
HTML

<!doctype html>
<html lang="en">
<head>
<script src="/iframe_api.js" ></script>
<script>
// Note: this is a huge XSS flow as we allow anyone to load a Javascript file in our domain.
// This file must ABSOLUTELY be removed from the Docker images/deployments and is only here
// for development purpose (because dynamically generated iframes are not working with
// webpack hot reload due to an issue with rights)
const urlParams = new URLSearchParams(window.location.search);
const scriptUrl = urlParams.get('script');
const script = document.createElement('script');
script.src = scriptUrl;
if (urlParams.get('moduleMode') === 'true') {
script.type = "module";
}
document.head.append(script);
</script>
</head>
</html>