diff --git a/README.md b/README.md
index 1da2783..8b66b87 100644
--- a/README.md
+++ b/README.md
@@ -77,7 +77,7 @@ Parameters are provided to configure the behavior of the bridge. These parameter
  * __send_buffer_limit__: Connection send buffer limit in bytes. Messages will be dropped when a connection's send buffer reaches this limit to avoid a queue of outdated messages building up. Defaults to `10000000` (10 MB).
  * __use_compression__: Use websocket compression (permessage-deflate). Suited for connections with smaller bandwith, at the cost of additional CPU load.
  * __capabilities__: List of supported [server capabilities](https://github.com/foxglove/ws-protocol/blob/main/docs/spec.md). Defaults to `[clientPublish,parameters,parametersSubscribe,services,connectionGraph,assets]`.
- * __asset_uri_allowlist__: List of regular expressions ([ECMAScript grammar](https://en.cppreference.com/w/cpp/regex/ecmascript)) of allowed asset URIs. Uses the [resource_retriever](https://index.ros.org/p/resource_retriever/github-ros-resource_retriever) to resolve `package://`, `file://` or `http(s)://` URIs. Note that this list should be carefully configured such that no confidential files are accidentally exposed over the websocket connection. As an extra security measure, URIs containing two consecutive dots (`..`) are disallowed as they could be used to construct URIs that would allow retrieval of confidential files if the allowlist is not configured strict enough (e.g. `package://<pkg_name>/../../../secret.txt`). Defaults to `["package://(\w+/?)+\.(dae|stl|urdf|xacro)"]`.
+ * __asset_uri_allowlist__: List of regular expressions ([ECMAScript grammar](https://en.cppreference.com/w/cpp/regex/ecmascript)) of allowed asset URIs. Uses the [resource_retriever](https://index.ros.org/p/resource_retriever/github-ros-resource_retriever) to resolve `package://`, `file://` or `http(s)://` URIs. Note that this list should be carefully configured such that no confidential files are accidentally exposed over the websocket connection. As an extra security measure, URIs containing two consecutive dots (`..`) are disallowed as they could be used to construct URIs that would allow retrieval of confidential files if the allowlist is not configured strict enough (e.g. `package://<pkg_name>/../../../secret.txt`). Defaults to `["^package://(?:\w+/)*\w+\.(?:dae|fbx|glb|gltf|jpeg|jpg|mtl|obj|png|stl|tif|tiff|urdf|webp|xacro)$"]`.
  * (ROS 1) __max_update_ms__: The maximum number of milliseconds to wait in between polling `roscore` for new topics, services, or parameters. Defaults to `5000`.
  * (ROS 1) __service_type_retrieval_timeout_ms__: Max number of milliseconds for retrieving a services type information. Defaults to `250`.
  * (ROS 2) __num_threads__: The number of threads to use for the ROS node executor. This controls the number of subscriptions that can be processed in parallel. 0 means one thread per CPU core. Defaults to `0`.
diff --git a/ros1_foxglove_bridge/launch/foxglove_bridge.launch b/ros1_foxglove_bridge/launch/foxglove_bridge.launch
index 5103176..4a3210d 100644
--- a/ros1_foxglove_bridge/launch/foxglove_bridge.launch
+++ b/ros1_foxglove_bridge/launch/foxglove_bridge.launch
@@ -13,7 +13,7 @@
   <arg name="nodelet_manager"                   default="foxglove_nodelet_manager" />
   <arg name="num_threads"                       default="0" />
   <arg name="capabilities"                      default="[clientPublish,parameters,parametersSubscribe,services,connectionGraph,assets]" />
-  <arg name="asset_uri_allowlist"               default="['package://(/?\w+)+\.(dae|stl|urdf|xacro)']" />
+  <arg name="asset_uri_allowlist"               default="['^package://(?:\w+/)*\w+\.(?:dae|fbx|glb|gltf|jpeg|jpg|mtl|obj|png|stl|tif|tiff|urdf|webp|xacro)$']" />
   <arg name="service_type_retrieval_timeout_ms" default="250" />
 
   <node pkg="nodelet" type="nodelet" name="foxglove_nodelet_manager" args="manager"
diff --git a/ros1_foxglove_bridge/src/ros1_foxglove_bridge_nodelet.cpp b/ros1_foxglove_bridge/src/ros1_foxglove_bridge_nodelet.cpp
index 7391470..811764f 100644
--- a/ros1_foxglove_bridge/src/ros1_foxglove_bridge_nodelet.cpp
+++ b/ros1_foxglove_bridge/src/ros1_foxglove_bridge_nodelet.cpp
@@ -104,7 +104,9 @@ class FoxgloveBridge : public nodelet::Nodelet {
     }
 
     const auto assetUriAllowlist = nhp.param<std::vector<std::string>>(
-      "asset_uri_allowlist", {"package://(/?\\w+)+\\.(dae|stl|urdf|xacro)"});
+      "asset_uri_allowlist",
+      {"^package://(?:\\w+/"
+       ")*\\w+\\.(?:dae|fbx|glb|gltf|jpeg|jpg|mtl|obj|png|stl|tif|tiff|urdf|webp|xacro)$"});
     _assetUriAllowlistPatterns = parseRegexPatterns(assetUriAllowlist);
     if (assetUriAllowlist.size() != _assetUriAllowlistPatterns.size()) {
       ROS_ERROR("Failed to parse one or more asset URI whitelist patterns");
diff --git a/ros2_foxglove_bridge/launch/foxglove_bridge_launch.xml b/ros2_foxglove_bridge/launch/foxglove_bridge_launch.xml
index a1d3dfb..fd6a452 100644
--- a/ros2_foxglove_bridge/launch/foxglove_bridge_launch.xml
+++ b/ros2_foxglove_bridge/launch/foxglove_bridge_launch.xml
@@ -15,7 +15,7 @@
   <arg name="use_sim_time"              default="false" />
   <arg name="capabilities"              default="[clientPublish,parameters,parametersSubscribe,services,connectionGraph,assets]" />
   <arg name="include_hidden"            default="false" />
-  <arg name="asset_uri_allowlist"       default="['package://(\\w+/?)+\\.(dae|stl|urdf|xacro)']" />  <!-- Needs double-escape -->
+  <arg name="asset_uri_allowlist"       default="['^package://(?:\\w+/)*\\w+\\.(?:dae|fbx|glb|gltf|jpeg|jpg|mtl|obj|png|stl|tif|tiff|urdf|webp|xacro)$']" />  <!-- Needs double-escape -->
 
   <node pkg="foxglove_bridge" exec="foxglove_bridge">
     <param name="port"                    value="$(var port)" />
diff --git a/ros2_foxglove_bridge/src/param_utils.cpp b/ros2_foxglove_bridge/src/param_utils.cpp
index 8e317c0..44fa9d2 100644
--- a/ros2_foxglove_bridge/src/param_utils.cpp
+++ b/ros2_foxglove_bridge/src/param_utils.cpp
@@ -153,9 +153,12 @@ void declareParameters(rclcpp::Node* node) {
   assetUriAllowlistDescription.description =
     "List of regular expressions (ECMAScript) of whitelisted asset URIs.";
   assetUriAllowlistDescription.read_only = true;
-  node->declare_parameter(PARAM_ASSET_URI_ALLOWLIST,
-                          std::vector<std::string>({"package://(/?\\w+)+\\.(dae|stl|urdf|xacro)"}),
-                          paramWhiteListDescription);
+  node->declare_parameter(
+    PARAM_ASSET_URI_ALLOWLIST,
+    std::vector<std::string>(
+      {"^package://(?:\\w+/"
+       ")*\\w+\\.(?:dae|fbx|glb|gltf|jpeg|jpg|mtl|obj|png|stl|tif|tiff|urdf|webp|xacro)$"}),
+    paramWhiteListDescription);
 }
 
 std::vector<std::regex> parseRegexStrings(rclcpp::Node* node,