Update Bilibili.com.xml #7495
Update Bilibili.com.xml #7495
Conversation
| - bangumi FROM static.hdslb.com, s[1-3].hdslb.com | ||
| - pay, passport FROM api* | ||
| * Secured by us | ||
| MCB: |
There was a problem hiding this comment.
Any reasons to do so?
| - app FROM activity.hdslb.com | ||
| - bangumi FROM static.hdslb.com, s[1-3].hdslb.com | ||
| - pay, passport FROM api* | ||
| * Secured by us |
There was a problem hiding this comment.
hdslb.com supports https now, I think we can create a mixcontent ruleset for them.
There was a problem hiding this comment.
今后再也不没事找事写复杂的排除规则了,累死了。
There was a problem hiding this comment.
一来我都写了排除规则了,二来页面里有 http://push-msg.bilibili.com:8090/sub 这种玩意,恐怕也不适合写成 mixcontent
| MCB: | ||
| - app | ||
| - bangumi | ||
| - passport |
There was a problem hiding this comment.
Mixed Content: The page at 'https://passport.bilibili.com/site/site.html' was loaded over HTTPS, but requested an insecure script 'http://data.bilibili.com/a/access.js?_=1478934401113'. This request has been blocked; the content must be served over HTTPS.
There was a problem hiding this comment.
其实 pay. 也有mixed js,但是都没有发现功能丢失
There was a problem hiding this comment.
/a/account.js 只在登录界面有啊……登录之后有 /a/access.js 的 MCB
There was a problem hiding this comment.
退出重新登录,全程开着控制台,你说的还真没找到。不过发现了其他MCB
There was a problem hiding this comment.
有 MCB 但是没有 functional broken, 留着注释就行没必要去掉 target……
There was a problem hiding this comment.
那 bmall.bilibili.com 似乎也可以放进去
| @@ -31,6 +33,7 @@ | |||
| <test url="http://interface.bilibili.com/msg.xml" /> | |||
| <target host="passport.bilibili.com" /> | |||
| <target host="pay.bilibili.com" /> | |||
| <target host="planet2017.bilibili.com" /> | |||
There was a problem hiding this comment.
XMLHttpRequest cannot load https://www.bilibili.com/activity/web/view/data/5. The 'Access-Control-Allow-Origin' header has a value 'http://planet2017.bilibili.com' that is not equal to the supplied origin. Origin 'https://planet2017.bilibili.com' is therefore not allowed access.
| <target host="www.bilibili.com" /> | ||
| <exclusion pattern="^http://www\.bilibili\.com/(?!online\.js|widget/)" /> | ||
| <test url="http://www.bilibili.com/online.js" /> | ||
| <test url="http://www.bilibili.com/widget/getSearchDefaultWords" /> |
There was a problem hiding this comment.
XMLHttpRequest cannot load https://www.bilibili.com/widget/getSearchDefaultWords. The 'Access-Control-Allow-Origin' header has a value 'http://bangumi.bilibili.com' that is not equal to the supplied origin. Origin 'http://www.bilibili.com' is therefore not allowed access.
|
今年再也不新建这种复杂规则了,再写就剁手(哭 |
|
@gloomy-ghost 突然有种鬼畜大哥盯着我们的恐慌感——这些问题大都不存在了!啊啊啊…… |
|
竭尽全力规避CORS |
|
我还开着的PR又有整整3页75个了…… |
|
年底了,reviewers也要假期啊…… 211毕业的人就别纠结学霸了,还在象牙塔里的人才说这个(逃 |
|
现在的确不纠结了,只考虑雾霾下还有几年阳寿…… |
| <exclusion pattern="^http://www\.bilibili\.com/index/index-icon\.json" /> | ||
| <exclusion pattern="^http://www\.bilibili\.com/widget/getSearchDefaultWords" /> | ||
| <test url="http://www.bilibili.com/index/index-icon.json" /> | ||
| <test url="http://www.bilibili.com/widget/getSearchDefaultWords" /> |
There was a problem hiding this comment.
和之前 #7944 一样把触发 CORS 的网址也在注释里写上吧,也方便以后维护
|
|
||
| <target host="data.bilibili.com" /> | ||
| <exclusion pattern="^http://data\.bilibili\.com/$" /> | ||
| <exclusion pattern="^http://data\.bilibili\.com/e/p" /> |
There was a problem hiding this comment.
参照 #6629 (comment) 的说法,把广告/统计搞挂了也不要紧(逃
| <target host="game.bilibili.com" /> | ||
| <target host="interface.bilibili.com" /> | ||
| <test url="http://interface.bilibili.com/msg.xml" /> | ||
| <target host="api.live.bilibili.com" /> |
There was a problem hiding this comment.
api.live.bilibili.com 和 https://api.live.bilibili.com 内容不一样,有https下正常的API例子么?
| <target host="bmall.bilibili.com" /> | ||
| <target host="game.bilibili.com" /> | ||
| <target host="interface.bilibili.com" /> | ||
| <test url="http://interface.bilibili.com/msg.xml" /> |
There was a problem hiding this comment.
Note:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:POST, GET
Access-Control-Allow-Origin:http://www.bilibili.com
If the origin in request is https, then the server will use Access-Control-Allow-Origin:https://www.bilibili.com instead.
which means any redirection executed by https everywhere will be blocked because the origin is dropped after redirect. However, the player requests a protocol-relative URL, so it should be safe to keep this target as we also secured www.bilibili.com
| <!-- Directly: --> | ||
| <target host="account.bilibili.com" /> | ||
| <test url="http://account.bilibili.com/site/nameplate.html" /> | ||
| <target host="big.bilibili.com" /> |
There was a problem hiding this comment.
Mixed Content: The page at 'https://big.bilibili.com/site/big.html' was loaded over HTTPS, but requested an insecure resource 'http://vip.bilibili.com/site/vip-exchange-plugin.html?'. This request has been blocked; the content must be served over HTTPS.
| If the origin in request is https, then the server will use Access-Control-Allow-Origin:https://www.bilibili.com instead. | ||
|
|
||
| Which means any redirection executed by https everywhere will be blocked because the origin is dropped after redirect. However, the player requests a protocol-relative URL, so it should be safe to keep this target as we also secured www.bilibili.com . | ||
|
|
There was a problem hiding this comment.
……我只是写在那里备查的,毕竟这个只要一重定向就会被block,万一出问题查到这个PR有点说不过去
| ( test: http://h.bilibili.com/dy\d+ ) | ||
| - comment.bilibili.com | ||
| ( test: https://www.bilibili.com/video/av\d+/ ) | ||
| ( Functional breakage. Test: http://h.bilibili.com/dy\d+ ) |
There was a problem hiding this comment.
Please list the issue specifically, something likes "Comments are not displaying properly"
No description provided.