Fixed potential injection by switching map container to PHP

Some HTML files were importing iframe_api.js automatically by detecting the referrer document.

While this was done in a safe way (the map container does not use cookies), it is not
a best practice to load a script originating from document.referrer.

This PR solves the issue by using PHP to inject the correct domain name in the HTML files.
This commit is contained in:
David Négrier 2021-11-29 19:05:13 +01:00
parent 233c3d1abe
commit 41fd848fa0
27 changed files with 167 additions and 204 deletions

View File

@ -101,7 +101,10 @@
"host": {
"url": "maps-"+url
},
"ports": [80]
"ports": [80],
"env": {
"FRONT_URL": "https://play-"+url
}
},
"redis": {
"image": "redis:6",

View File

@ -92,11 +92,12 @@ services:
- "traefik.http.routers.pusher-ssl.service=pusher"
maps:
image: thecodingmachine/nodejs:12-apache
image: thecodingmachine/php:8.1-v4-apache-node12
environment:
DEBUG_MODE: "$DEBUG_MODE"
HOST: "0.0.0.0"
NODE_ENV: development
FRONT_URL: http://play.workadventure.localhost
#APACHE_DOCUMENT_ROOT: dist/
#APACHE_EXTENSIONS: headers
#APACHE_EXTENSION_HEADERS: 1

View File

@ -96,11 +96,12 @@ services:
- "traefik.http.routers.pusher-ssl.service=pusher"
maps:
image: thecodingmachine/nodejs:12-apache
image: thecodingmachine/php:8.1-v4-apache-node12
environment:
DEBUG_MODE: "$DEBUG_MODE"
HOST: "0.0.0.0"
NODE_ENV: development
FRONT_URL: http://play.workadventure.localhost
#APACHE_DOCUMENT_ROOT: dist/
#APACHE_EXTENSIONS: headers
#APACHE_EXTENSION_HEADERS: 1

View File

@ -12,8 +12,8 @@
{
"name":"openWebsite",
"type":"string",
"value":"website_in_map_script.html"
},
"value":"website_in_map_script.php"
},
{
"name":"openWebsiteAllowApi",
"type":"bool",
@ -24,7 +24,7 @@
"width":30,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":30,
@ -36,7 +36,7 @@
"width":30,
"x":0,
"y":0
},
},
{
"draworder":"topdown",
"id":3,
@ -90,4 +90,4 @@
"type":"map",
"version":1.5,
"width":30
}
}

View File

@ -1,12 +1,8 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
console.log('On load');
WA.onInit().then(() => {

View File

@ -1,18 +0,0 @@
<!doctype html>
<html lang="en">
<head>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
})
</script>
</head>
<body>
<p>Website opened by script.</p>
</body>
</html>

View File

@ -1 +1 @@
WA.nav.openCoWebSite("cowebsiteAllowApi.html", true, "");
WA.nav.openCoWebSite("cowebsiteAllowApi.php", true, "");

View File

@ -0,0 +1,14 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
window.addEventListener('load', () => {
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
})
</script>
</head>
<body>
<p>Website opened by script.</p>
</body>
</html>

View File

@ -1,20 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>API in iframe menu</title>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
})
</script>
</head>
<body style="text-align: center">
<p style="color: whitesmoke">This is an iframe in a custom menu.</p>
</body>
</html>

View File

@ -0,0 +1,16 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>API in iframe menu</title>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
window.addEventListener('load', () => {
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
})
</script>
</head>
<body style="text-align: center">
<p style="color: whitesmoke">This is an iframe in a custom menu.</p>
</body>
</html>

View File

@ -1,18 +0,0 @@
<!doctype html>
<html lang="en">
<head>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.ui.registerMenuCommand('test', 'customIframeMenu.html', {autoClose: true});
})
</script>
</head>
<body>
<p>Add a custom menu</p>
</body>
</html>

View File

@ -7,9 +7,9 @@ WA.ui.registerMenuCommand('custom callback menu', () => {
WA.ui.registerMenuCommand('custom iframe menu', {iframe: 'customIframeMenu.html'});
WA.room.onEnterZone('iframeMenu', () => {
menuIframeApi = WA.ui.registerMenuCommand('IFRAME USE API', {iframe: 'customIframeMenuApi.html', allowApi: true});
menuIframeApi = WA.ui.registerMenuCommand('IFRAME USE API', {iframe: 'customIframeMenuApi.php', allowApi: true});
})
WA.room.onLeaveZone('iframeMenu', () => {
menuIframeApi.remove();
})
})

View File

@ -54,7 +54,7 @@
{
"name":"openWebsite",
"type":"string",
"value":"customMenu.html"
"value":"customMenu.php"
},
{
"name":"openWebsiteAllowApi",
@ -97,4 +97,4 @@
"type":"map",
"version":"1.6",
"width":10
}
}

View File

@ -0,0 +1,14 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
window.addEventListener('load', () => {
WA.ui.registerMenuCommand('test', 'customIframeMenu.html', {autoClose: true});
})
</script>
</head>
<body>
<p>Add a custom menu</p>
</body>
</html>

View File

@ -1,18 +0,0 @@
<!doctype html>
<html lang="en">
<head>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.player.onPlayerMove(console.log);
})
</script>
</head>
<body>
<p>Log in the console the movement of the current player in the zone of the iframe</p>
</body>
</html>

View File

@ -13,7 +13,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[33, 34, 34, 34, 34, 34, 34, 34, 34, 35, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 49, 50, 50, 50, 50, 50, 50, 50, 50, 51],
"height":10,
@ -25,7 +25,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@ -36,8 +36,8 @@
{
"name":"openWebsite",
"type":"string",
"value":"playerMove.html"
},
"value":"playerMove.php"
},
{
"name":"openWebsiteAllowApi",
"type":"bool",
@ -48,7 +48,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"draworder":"topdown",
"id":5,
@ -105,7 +105,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":1,
"properties":[
@ -114,7 +114,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":2,
"properties":[
@ -123,7 +123,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":3,
"properties":[
@ -132,7 +132,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":4,
"properties":[
@ -141,7 +141,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":8,
"properties":[
@ -150,7 +150,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":9,
"properties":[
@ -159,7 +159,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":10,
"properties":[
@ -168,7 +168,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":11,
"properties":[
@ -177,7 +177,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":12,
"properties":[
@ -186,7 +186,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":16,
"properties":[
@ -195,7 +195,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":17,
"properties":[
@ -204,7 +204,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":18,
"properties":[
@ -213,7 +213,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":19,
"properties":[
@ -222,7 +222,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":20,
"properties":[
@ -233,7 +233,7 @@
}]
}],
"tilewidth":32
},
},
{
"columns":8,
"firstgid":65,
@ -251,4 +251,4 @@
"type":"map",
"version":1.4,
"width":10
}
}

View File

@ -0,0 +1,14 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
window.addEventListener('load', () => {
WA.player.onPlayerMove(console.log);
})
</script>
</head>
<body>
<p>Log in the console the movement of the current player in the zone of the iframe</p>
</body>
</html>

View File

@ -13,7 +13,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[33, 34, 34, 34, 34, 34, 34, 34, 34, 35, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 49, 50, 50, 50, 50, 50, 50, 50, 50, 51],
"height":10,
@ -25,7 +25,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@ -36,8 +36,8 @@
{
"name":"openWebsite",
"type":"string",
"value":"setProperty.html"
},
"value":"setProperty.php"
},
{
"name":"openWebsiteAllowApi",
"type":"bool",
@ -48,7 +48,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 101, 101, 101, 101, 101, 0, 0, 0, 0, 0, 101, 101, 101, 101, 101, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@ -60,7 +60,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"draworder":"topdown",
"id":5,
@ -117,7 +117,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":1,
"properties":[
@ -126,7 +126,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":2,
"properties":[
@ -135,7 +135,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":3,
"properties":[
@ -144,7 +144,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":4,
"properties":[
@ -153,7 +153,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":8,
"properties":[
@ -162,7 +162,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":9,
"properties":[
@ -171,7 +171,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":10,
"properties":[
@ -180,7 +180,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":11,
"properties":[
@ -189,7 +189,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":12,
"properties":[
@ -198,7 +198,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":16,
"properties":[
@ -207,7 +207,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":17,
"properties":[
@ -216,7 +216,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":18,
"properties":[
@ -225,7 +225,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":19,
"properties":[
@ -234,7 +234,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":20,
"properties":[
@ -245,7 +245,7 @@
}]
}],
"tilewidth":32
},
},
{
"columns":8,
"firstgid":65,
@ -263,4 +263,4 @@
"type":"map",
"version":1.4,
"width":10
}
}

View File

@ -1,12 +1,8 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.room.setProperty('iframeTest', 'openWebsite', 'https://www.wikipedia.org/');
WA.room.setProperty('metadata', 'openWebsite', 'https://www.wikipedia.org/');
@ -16,4 +12,4 @@
<body>
<p>Change the url of this iframe and add the 'openWebsite' property to the red tile layer</p>
</body>
</html>
</html>

View File

@ -1,12 +1,8 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.room.setTiles([

View File

@ -43,7 +43,7 @@
{
"name":"openWebsite",
"type":"string",
"value":"setTiles.html"
"value":"setTiles.php"
},
{
"name":"openWebsiteAllowApi",

View File

@ -1,12 +1,8 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
document.getElementById('show/hideLayer').onclick = () => {
if (document.getElementById('show/hideLayer').checked) {
@ -24,4 +20,4 @@
<label for="show/hideLayer">Crysal Layer : </label><input type="checkbox" id="show/hideLayer" name="visible" value="show" checked>
</div>
</body>
</html>
</html>

View File

@ -13,7 +13,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[33, 34, 34, 34, 34, 34, 34, 34, 34, 35, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 49, 50, 50, 50, 50, 50, 50, 50, 50, 51],
"height":10,
@ -25,7 +25,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[22, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 22, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@ -37,7 +37,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@ -48,8 +48,8 @@
{
"name":"openWebsite",
"type":"string",
"value":"showHideLayer.html"
},
"value":"showHideLayer.php"
},
{
"name":"openWebsiteAllowApi",
"type":"bool",
@ -60,7 +60,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"draworder":"topdown",
"id":5,
@ -117,7 +117,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":1,
"properties":[
@ -126,7 +126,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":2,
"properties":[
@ -135,7 +135,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":3,
"properties":[
@ -144,7 +144,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":4,
"properties":[
@ -153,7 +153,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":8,
"properties":[
@ -162,7 +162,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":9,
"properties":[
@ -171,7 +171,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":10,
"properties":[
@ -180,7 +180,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":11,
"properties":[
@ -189,7 +189,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":12,
"properties":[
@ -198,7 +198,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":16,
"properties":[
@ -207,7 +207,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":17,
"properties":[
@ -216,7 +216,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":18,
"properties":[
@ -225,7 +225,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":19,
"properties":[
@ -234,7 +234,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":20,
"properties":[
@ -245,7 +245,7 @@
}]
}],
"tilewidth":32
},
},
{
"columns":8,
"firstgid":65,
@ -263,4 +263,4 @@
"type":"map",
"version":1.4,
"width":10
}
}

View File

@ -12,8 +12,8 @@
{
"name":"openWebsite",
"type":"string",
"value":"shared_variables.html"
},
"value":"shared_variables.php"
},
{
"name":"openWebsiteAllowApi",
"type":"bool",
@ -24,7 +24,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@ -36,7 +36,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"draworder":"topdown",
"id":3,
@ -59,7 +59,7 @@
"width":252.4375,
"x":2.78125,
"y":2.5
},
},
{
"height":0,
"id":5,
@ -70,22 +70,22 @@
"name":"default",
"type":"string",
"value":"default value"
},
},
{
"name":"jsonSchema",
"type":"string",
"value":"{}"
},
},
{
"name":"persist",
"type":"bool",
"value":true
},
},
{
"name":"readableBy",
"type":"string",
"value":""
},
},
{
"name":"writableBy",
"type":"string",
@ -128,4 +128,4 @@
"type":"map",
"version":1.5,
"width":10
}
}

View File

@ -1,12 +1,8 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
console.log('On load');
WA.onInit().then(() => {

View File

@ -1,13 +1,7 @@
<!doctype html>
<html lang="en">
<head>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
</script>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
</head>
<body>
<button id="sendchat">Send chat message</button>

View File

@ -20,7 +20,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@ -32,7 +32,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 34, 34, 34, 34, 34, 0, 0, 0, 0, 0, 34, 34, 34, 34, 34, 0, 0, 0, 0, 0, 34, 34, 34, 34, 34, 0, 0, 0, 0, 0, 34, 34, 34, 34, 34, 0, 0, 0, 0, 0, 34, 34, 34, 34, 34, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@ -43,8 +43,8 @@
{
"name":"openWebsite",
"type":"string",
"value":"iframe.html"
},
"value":"iframe.php"
},
{
"name":"openWebsiteAllowApi",
"type":"bool",
@ -55,7 +55,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 93, 0, 104, 0, 0, 0, 0, 0, 0, 0, 104, 0, 115, 0, 0, 0, 93, 0, 0, 0, 115, 0, 0, 0, 93, 0, 104, 0, 0, 0, 0, 0, 0, 0, 104, 0, 115, 93, 0, 0, 0, 0, 0, 0, 115, 0, 0, 104, 0, 0, 0, 0, 0, 0, 0, 0, 0, 115, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@ -67,7 +67,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"draworder":"topdown",
"id":3,
@ -121,4 +121,4 @@
"type":"map",
"version":1.4,
"width":10
}
}