Adding a warning regarding the "controlled" XSS in iframe.html

2021-06-28 13:55:17 +02:00 · 2021-06-28 13:55:17 +02:00 · 303d2a7837
parent 7f79c2dc4a
commit 303d2a7837
1 changed files with 2 additions and 3 deletions
--- a/maps/tests/iframe.html
+++ b/maps/tests/iframe.html
@ -1,12 +1,11 @@
 <!doctype html>
 <html lang="en">
    <head>
-
        <script>
            var script = document.createElement('script');
+            // Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
+            // We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
            script.setAttribute('src', document.referrer + 'iframe_api.js');
-            script.defer = false;
-            script.async = false;
            document.head.appendChild(script);
        </script>
    </head>