ace.js: Don't use srcdoc when creating iframes (see #4975)

Using srcdoc, especially with multiple nested iframes, seems to be
problematic when using `self` in CSP policies.

src/static/empty.html

@@ -0,0 +1 @@
+<!DOCTYPE html><html><head><title>Empty</title></head><body></body></html>

src/static/js/ace.js

@@ -197,7 +197,9 @@ const Ace2Editor = function () {
     //   - Chrome never fires any events on the frame or document. Eventually the document's
     //     readyState becomes 'complete' even though it never fires a readystatechange event.
     //   - Safari behaves like Chrome.
-    outerFrame.srcdoc = '<!DOCTYPE html>';
+    // srcdoc is avoided because Firefox's Content Security Policy engine does not properly handle
+    // 'self' with nested srcdoc iframes: https://bugzilla.mozilla.org/show_bug.cgi?id=1721296
+    outerFrame.src = '../static/empty.html';
     info.frame = outerFrame;
     document.getElementById(containerId).appendChild(outerFrame);
     const outerWindow = outerFrame.contentWindow;
@@ -240,7 +242,7 @@ const Ace2Editor = function () {
     innerFrame.allowTransparency = true; // for IE
     // The iframe MUST have a src or srcdoc property to avoid browser quirks. See the comment above
     // outerFrame.srcdoc.
-    innerFrame.srcdoc = '<!DOCTYPE html>';
+    innerFrame.src = 'empty.html';
     outerDocument.body.insertBefore(innerFrame, outerDocument.body.firstChild);
     const innerWindow = innerFrame.contentWindow;