On Wed, May 03, 2023 at 12:05:54PM +0200, Hendrik Leppkes wrote: > On Tue, May 2, 2023 at 10:57 PM James Almer wrote: > > > > > > added > > > +{"same_none" , "same origin check off" , 0 , AV_OPT_TYPE_CONST, { .i64 = AVFMT_SAME_ORIGIN_CHECK_NONE }, 0, INT_MAX, D|E, "same_origin"}, > > > > "none" sounds more natural. > > > > > > > > > > >> And do we want check_path to be default? It's a change > > >> in behavior. > > > > > > is it usefull if its not enabled by default ? > > > > It is, since it can be enabled, like the whitelists and blacklists, but > > the question is if it's preferable to have it enabled. If you consider > > it so, then it's good and i wont oppose it. > > > > Is there any estimation how many legitimate streams would be broken by > these options? > If any major streams don't work with this, then its not a good option, > and eg. library users will likely just turn it off or to a lower > setting, as proper streams just have to work - and log output is > pretty much useless for API usage cases. > > A quick check for example shows that even something as simple as the > HLS BBC Radio streams will fail _all_ checks, since the playlists are > hosted on another host entirely as the media, thanks to akamai live > streaming. > Playlist here, as an example: > http://a.files.bbci.co.uk/media/live/manifesto/audio/simulcast/hls/nonuk/sbr_low/ak/bbc_radio_one.m3u8 yes, thats why it says RFC in the subject, i had expected that a bit already still OTOH, blocking these by default is the safer option, i mean if a user does a ./ffplay http://trustedfoobar.org/cutevideo.avi would she expect that video to access http://127.0.0.1/ and later http://evilhost/localwebscan-success I think this should not be possible by default settings, its unexpected maybe a whitelist of hosts or urls. Something the user could add *.akamaized.net to may be an option Thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The real ebay dictionary, page 2 "100% positive feedback" - "All either got their money back or didnt complain" "Best seller ever, very honest" - "Seller refunded buyer after failed scam"