Bug: the obsidian v1.5.0 iframe not support local source ? about obsidian-api HOT 20 OPEN

Hmm one workaround for now I can think of is to read the files and send them directly to the iframe. Alternatively you could embed them into the HTML. Both approaches are kinda tedious though.

Hello! The creator of Markmind has developed a remarkable product. They have implemented a feature that allows specific PDF annotations to link and jump to an Obsidian markdown page. I believe Markmind excellently complements Obsidian's functionality with PDFs. It would be unfortunate if, due to certain security updates, this product could no longer function fully.

from obsidian-api.

I think given most people are using some form of plugins it will offer zero protection for most people. I do have a potential solution, assuming you can load your iframe resources from the same folder as the frame html.

That's great, how can i do it ?

from obsidian-api.

For now, the only solution seems to be bundling all of your CSS and JS into the HTML file that you are trying to distribute.

Until we can find a better way in Electron to make sure that pages can't access resources out of their folders I don't think we can safely allow this to happen.

from obsidian-api.

Yeah, we had to block these because they were a security vulnerability. What URL/origin is your iframe using?

from obsidian-api.

Yeah, we had to block these because they were a security vulnerability. What URL/origin is your iframe using?

I put local source to .obsidian of vault ,
then use this.app.vault.adapter.getResourcePath('.obsidian/web/viewer.html'); to create a iframe url ,
Css and js are referenced in the iframe

from obsidian-api.

Let me think about it - unfortunately the vulnerability involves loading a local html file into an iframe using which it would be able to read arbitrary local files through the app:// URIs.

from obsidian-api.

Hmm one workaround for now I can think of is to read the files and send them directly to the iframe. Alternatively you could embed them into the HTML. Both approaches are kinda tedious though.

from obsidian-api.

Hmm one workaround for now I can think of is to read the files and send them directly to the iframe. Alternatively you could embed them into the HTML. Both approaches are kinda tedious though.

Indeed, but resources such as fonts and images still cannot be processed .

Additionally, I think that there are potential issues ( plugin can access system resources ) with using plugins , Just block iframe doesn't seem to make much sense .

（ My English is not very good, it's machine translation ）

from obsidian-api.

Can it be blocked in safe mode and allowed to load resources when the plugin is enabled ?

from obsidian-api.

I think given most people are using some form of plugins it will offer zero protection for most people. I do have a potential solution, assuming you can load your iframe resources from the same folder as the frame html.

from obsidian-api.

Unfortunately I tried a few things and they all turned out to have vulnerabilities or various ways that can be used to bypass. That means you'll need to find a way to embed your javascript and css files into the html directly... Sorry about that.

from obsidian-api.

Unfortunately I tried a few things and they all turned out to have vulnerabilities or various ways that can be used to bypass. That means you'll need to find a way to embed your javascript and css files into the html directly... Sorry about that.

ok

from obsidian-api.

I have this issue as well! How do you work around this? I have a bunch of plotly graphs I've been displaying this way...

from obsidian-api.

I have this issue as well! How do you work around this? I have a bunch of plotly graphs I've been displaying this way...

I have no idea ， If users can choose whether to enable this feature, that would be great

from obsidian-api.

I have this issue as well! How do you work around this? I have a bunch of plotly graphs I've been displaying this way...

Same here ✌

from obsidian-api.

the same issue, have any solution?
i've tried to wirte a local http server to load the iframe resources, but my case is a rich client application, the performance is too poor, and the local http server security risk still remains.
Will obsidian future versions open 'iframe load local resource' ?
Thanks !

from obsidian-api.

I'm using the singleFile browser plugin to crop it into an html how do I embed it and how do I tag this html file

from obsidian-api.

Yeah, we had to block these because they were a security vulnerability. What URL/origin is your iframe using?

ok, can you tell me which obsidian version still supports iframe? I'm looking forward to your reply.

from obsidian-api.

ok, can you tell me which obsidian version still supports iframe? I'm looking forward to your reply.

I believe that the last release that supported iframes was 1.4.16. I downgraded to this version and it works fine for me. You can download old releases here.

from obsidian-api.

For now, the only solution seems to be bundling all of your CSS and JS into the HTML file that you are trying to distribute.

Until we can find a better way in Electron to make sure that pages can't access resources out of their folders I don't think we can safely allow this to happen.

MarkMind plugin is a revolutionary plugin for obsidian, you are killing it ...

from obsidian-api.