-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Conversation
- bangumi FROM static.hdslb.com, s[1-3].hdslb.com | ||
- pay, passport FROM api* | ||
* Secured by us | ||
MCB: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reasons to do so?
- app FROM activity.hdslb.com | ||
- bangumi FROM static.hdslb.com, s[1-3].hdslb.com | ||
- pay, passport FROM api* | ||
* Secured by us |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hdslb.com
supports https now, I think we can create a mixcontent ruleset for them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
要写排除规则啊……懒癌发作~
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
今后再也不没事找事写复杂的排除规则了,累死了。
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
一来我都写了排除规则了,二来页面里有 http://push-msg.bilibili.com:8090/sub 这种玩意,恐怕也不适合写成 mixcontent
MCB: | ||
- app | ||
- bangumi | ||
- passport |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mixed Content: The page at 'https://passport.bilibili.com/site/site.html' was loaded over HTTPS, but requested an insecure script 'http://data.bilibili.com/a/access.js?_=1478934401113'. This request has been blocked; the content must be served over HTTPS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
先登录
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
没账号……那要加排除规则不?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
其实 pay.
也有mixed js,但是都没有发现功能丢失
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/a/account.js 只在登录界面有啊……登录之后有 /a/access.js 的 MCB
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
有 MCB 但是没有 functional broken
, 留着注释就行没必要去掉 target
……
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
那 bmall.bilibili.com 似乎也可以放进去
@@ -31,6 +33,7 @@ | |||
<test url="http://interface.bilibili.com/msg.xml" /> | |||
<target host="passport.bilibili.com" /> | |||
<target host="pay.bilibili.com" /> | |||
<target host="planet2017.bilibili.com" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
XMLHttpRequest cannot load https://www.bilibili.com/activity/web/view/data/5. The 'Access-Control-Allow-Origin' header has a value 'http://planet2017.bilibili.com' that is not equal to the supplied origin. Origin 'https://planet2017.bilibili.com' is therefore not allowed access.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
公告里的内容挂掉了
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
这种头不对的怎么找啊
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
直接打开 console 看啊
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
居然不是火眼金睛,太令人失望了……
<target host="www.bilibili.com" /> | ||
<exclusion pattern="^http://www\.bilibili\.com/(?!online\.js|widget/)" /> | ||
<test url="http://www.bilibili.com/online.js" /> | ||
<test url="http://www.bilibili.com/widget/getSearchDefaultWords" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
XMLHttpRequest cannot load https://www.bilibili.com/widget/getSearchDefaultWords. The 'Access-Control-Allow-Origin' header has a value 'http://bangumi.bilibili.com' that is not equal to the supplied origin. Origin 'http://www.bilibili.com' is therefore not allowed access.
今年再也不新建这种复杂规则了,再写就剁手(哭 |
@gloomy-ghost 突然有种鬼畜大哥盯着我们的恐慌感——这些问题大都不存在了!啊啊啊…… |
竭尽全力规避CORS |
我还开着的PR又有整整3页75个了…… |
年底了,reviewers也要假期啊…… 211毕业的人就别纠结学霸了,还在象牙塔里的人才说这个(逃 |
现在的确不纠结了,只考虑雾霾下还有几年阳寿…… |
<exclusion pattern="^http://www\.bilibili\.com/index/index-icon\.json" /> | ||
<exclusion pattern="^http://www\.bilibili\.com/widget/getSearchDefaultWords" /> | ||
<test url="http://www.bilibili.com/index/index-icon.json" /> | ||
<test url="http://www.bilibili.com/widget/getSearchDefaultWords" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
和之前 #7944 一样把触发 CORS 的网址也在注释里写上吧,也方便以后维护
|
||
<target host="data.bilibili.com" /> | ||
<exclusion pattern="^http://data\.bilibili\.com/$" /> | ||
<exclusion pattern="^http://data\.bilibili\.com/e/p" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
参照 #6629 (comment) 的说法,把广告/统计搞挂了也不要紧(逃
<target host="game.bilibili.com" /> | ||
<target host="interface.bilibili.com" /> | ||
<test url="http://interface.bilibili.com/msg.xml" /> | ||
<target host="api.live.bilibili.com" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
api.live.bilibili.com 和 https://api.live.bilibili.com 内容不一样,有https下正常的API例子么?
<target host="bmall.bilibili.com" /> | ||
<target host="game.bilibili.com" /> | ||
<target host="interface.bilibili.com" /> | ||
<test url="http://interface.bilibili.com/msg.xml" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:POST, GET
Access-Control-Allow-Origin:http://www.bilibili.com
If the origin
in request is https, then the server will use Access-Control-Allow-Origin:https://www.bilibili.com
instead.
which means any redirection executed by https everywhere will be blocked because the origin
is dropped after redirect. However, the player requests a protocol-relative URL, so it should be safe to keep this target as we also secured www.bilibili.com
<!-- Directly: --> | ||
<target host="account.bilibili.com" /> | ||
<test url="http://account.bilibili.com/site/nameplate.html" /> | ||
<target host="big.bilibili.com" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mixed Content: The page at 'https://big.bilibili.com/site/big.html' was loaded over HTTPS, but requested an insecure resource 'http://vip.bilibili.com/site/vip-exchange-plugin.html?'. This request has been blocked; the content must be served over HTTPS.
If the origin in request is https, then the server will use Access-Control-Allow-Origin:https://www.bilibili.com instead. | ||
|
||
Which means any redirection executed by https everywhere will be blocked because the origin is dropped after redirect. However, the player requests a protocol-relative URL, so it should be safe to keep this target as we also secured www.bilibili.com . | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
……我只是写在那里备查的,毕竟这个只要一重定向就会被block,万一出问题查到这个PR有点说不过去
( test: http://h.bilibili.com/dy\d+ ) | ||
- comment.bilibili.com | ||
( test: https://www.bilibili.com/video/av\d+/ ) | ||
( Functional breakage. Test: http://h.bilibili.com/dy\d+ ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please list the issue specifically, something likes "Comments are not displaying properly"
No description provided.