Sorry to bring up this old thread again, but the allowedMimeRegExp suggestions given here are dangerous & not what is expected, & given
viewtopic.php?f=7&t=21206 I feel the need to clarify what they are really doing.
Tom T. wrote:Code: Select all
application/x-unknown <IFRAME> / http://*.s3.us.archive.org
This one is Allowing:
1) embeddings with a MIME type "application/x-unknown" on
*all* sites,
2) embeddings with a MIME type "<IFRAME>" on
*all* sites,
3) (I think) embeddings with a MIME type "/" (or is it an implicit */* ? I don't think so but not totally sure) on
*all* sites, and
4) embeddings with a MIME type "http://*.s3.us.archive.org" on
*all* sites.
Tom T. wrote:Code: Select all
application/x-unknown <IFRAME>@http://*\.s3\.us\.archive\.org/*
Here again is Allowing same as (1) above, but additionally is Allowing all embeddings with MIME type "<IFRAME>" from all sites that match the regex "http://*\.s3\.us\.archive\.org/*" - i.e. http:/ followed by 0 or more / followed by ".s3.us.archive.org" followed by 0 or more /
Even despite the fact that "<IFRAME"> isn't a valid MIME type nor is it a pseudo-type usable in allowedMimeRegExp, in practice the <IFRAME> portion of this suggestion would not Allow anything on any site, because out of a URL like http://example.net/test/foo, only the "http://example.net" (called the "site") part is matched against, and as no domain starts with a . the pattern thus cannot match a valid site.
Here's a better link to the screenshot, as the link landing page isn't working for me:
Code: Select all
http://imagizer.imageshack.us/v2/900x600q90/16/noscriptmbiframe.png
The following suggestion for allowedMimeRegExp will probably work in this case & is not counter-intuitive in any way:
Code: Select all
FRAME@https?://mbid-[0-9a-f-]+\.s3\.us\.archive\.org
Bye
Sorry to bring up this old thread again, but the allowedMimeRegExp suggestions given here are dangerous & not what is expected, & given [url]https://forums.informaction.com/viewtopic.php?f=7&t=21206[/url] I feel the need to clarify what they are really doing.
[quote="Tom T."][code]application/x-unknown <IFRAME> / http://*.s3.us.archive.org[/code][/quote]
This one is Allowing:
1) embeddings with a MIME type "application/x-unknown" on [b]*all* sites[/b],
2) embeddings with a MIME type "<IFRAME>" on [b]*all* sites[/b],
3) (I think) embeddings with a MIME type "/" (or is it an implicit */* ? I don't think so but not totally sure) on [b]*all* sites[/b], and
4) embeddings with a MIME type "http://*.s3.us.archive.org" on [b]*all* sites[/b].
[quote="Tom T."][code]application/x-unknown <IFRAME>@http://*\.s3\.us\.archive\.org/*[/code][/quote]
Here again is Allowing same as (1) above, but additionally is Allowing all embeddings with MIME type "<IFRAME>" from all sites that match the regex "http://*\.s3\.us\.archive\.org/*" - i.e. http:/ followed by 0 or more / followed by ".s3.us.archive.org" followed by 0 or more /
Even despite the fact that "<IFRAME"> isn't a valid MIME type nor is it a pseudo-type usable in allowedMimeRegExp, in practice the <IFRAME> portion of this suggestion would not Allow anything on any site, because out of a URL like http://example.net/test/foo, only the "http://example.net" (called the "site") part is matched against, and as no domain starts with a . the pattern thus cannot match a valid site.
Here's a better link to the screenshot, as the link landing page isn't working for me:
[code]http://imagizer.imageshack.us/v2/900x600q90/16/noscriptmbiframe.png[/code]
The following suggestion for allowedMimeRegExp will probably work in this case & is not counter-intuitive in any way:
[code]FRAME@https?://mbid-[0-9a-f-]+\.s3\.us\.archive\.org[/code]
Bye