workadventure/front/dist/iframe.html

<!doctype html>
<html lang="en">
<head>
    <script src="/iframe_api.js" ></script>
    <script>
        // Note: this is a huge XSS flow as we allow anyone to load a Javascript file in our domain.
        // This file must ABSOLUTELY be removed from the Docker images/deployments and is only here
        // for development purpose (because dynamically generated iframes are not working with
        // webpack hot reload due to an issue with rights)
        const urlParams = new URLSearchParams(window.location.search);
        const scriptUrl = urlParams.get('script');
        const script = document.createElement('script');
        script.src = scriptUrl;
        document.head.append(script);
    </script>
    </head>
</html>
Adding the ability to register a single script using the "script" attribute at the map property level. 2021-03-07 21:02:38 +01:00			`<!doctype html>`
			`<html lang="en">`
			`<head>`
			`<script src="/iframe_api.js" ></script>`
			`<script>`
			`// Note: this is a huge XSS flow as we allow anyone to load a Javascript file in our domain.`
			`// This file must ABSOLUTELY be removed from the Docker images/deployments and is only here`
			`// for development purpose (because dynamically generated iframes are not working with`
			`// webpack hot reload due to an issue with rights)`
			`const urlParams = new URLSearchParams(window.location.search);`
			`const scriptUrl = urlParams.get('script');`
			`const script = document.createElement('script');`
			`script.src = scriptUrl;`
			`document.head.append(script);`
			`</script>`
			`</head>`
			`</html>`