Comments (20)
Hmm one workaround for now I can think of is to read the files and send them directly to the iframe. Alternatively you could embed them into the HTML. Both approaches are kinda tedious though.
Hello! The creator of Markmind has developed a remarkable product. They have implemented a feature that allows specific PDF annotations to link and jump to an Obsidian markdown page. I believe Markmind excellently complements Obsidian's functionality with PDFs. It would be unfortunate if, due to certain security updates, this product could no longer function fully.
from obsidian-api.
I think given most people are using some form of plugins it will offer zero protection for most people. I do have a potential solution, assuming you can load your iframe resources from the same folder as the frame html.
That's great, how can i do it ?
from obsidian-api.
For now, the only solution seems to be bundling all of your CSS and JS into the HTML file that you are trying to distribute.
Until we can find a better way in Electron to make sure that pages can't access resources out of their folders I don't think we can safely allow this to happen.
from obsidian-api.
Yeah, we had to block these because they were a security vulnerability. What URL/origin is your iframe using?
from obsidian-api.
Yeah, we had to block these because they were a security vulnerability. What URL/origin is your iframe using?
I put local source to .obsidian
of vault ,
then use this.app.vault.adapter.getResourcePath('.obsidian/web/viewer.html');
to create a iframe url ,
Css and js are referenced in the iframe
from obsidian-api.
Let me think about it - unfortunately the vulnerability involves loading a local html file into an iframe using which it would be able to read arbitrary local files through the app:// URIs.
from obsidian-api.
Hmm one workaround for now I can think of is to read the files and send them directly to the iframe. Alternatively you could embed them into the HTML. Both approaches are kinda tedious though.
from obsidian-api.
Hmm one workaround for now I can think of is to read the files and send them directly to the iframe. Alternatively you could embed them into the HTML. Both approaches are kinda tedious though.
Indeed, but resources such as fonts and images still cannot be processed .
Additionally, I think that there are potential issues ( plugin can access system resources ) with using plugins , Just block iframe doesn't seem to make much sense .
( My English is not very good, it's machine translation )
from obsidian-api.
Can it be blocked in safe mode and allowed to load resources when the plugin is enabled ?
from obsidian-api.
I think given most people are using some form of plugins it will offer zero protection for most people. I do have a potential solution, assuming you can load your iframe resources from the same folder as the frame html.
from obsidian-api.
Unfortunately I tried a few things and they all turned out to have vulnerabilities or various ways that can be used to bypass. That means you'll need to find a way to embed your javascript and css files into the html directly... Sorry about that.
from obsidian-api.
Unfortunately I tried a few things and they all turned out to have vulnerabilities or various ways that can be used to bypass. That means you'll need to find a way to embed your javascript and css files into the html directly... Sorry about that.
ok
from obsidian-api.
I have this issue as well! How do you work around this? I have a bunch of plotly graphs I've been displaying this way...
from obsidian-api.
I have this issue as well! How do you work around this? I have a bunch of plotly graphs I've been displaying this way...
I have no idea , If users can choose whether to enable this feature, that would be great
from obsidian-api.
I have this issue as well! How do you work around this? I have a bunch of plotly graphs I've been displaying this way...
Same here ✌
from obsidian-api.
the same issue, have any solution?
i've tried to wirte a local http server to load the iframe resources, but my case is a rich client application, the performance is too poor, and the local http server security risk still remains.
Will obsidian future versions open 'iframe load local resource' ?
Thanks !
from obsidian-api.
I'm using the singleFile browser plugin to crop it into an html how do I embed it and how do I tag this html file
from obsidian-api.
Yeah, we had to block these because they were a security vulnerability. What URL/origin is your iframe using?
ok, can you tell me which obsidian version still supports iframe? I'm looking forward to your reply.
from obsidian-api.
ok, can you tell me which obsidian version still supports iframe? I'm looking forward to your reply.
I believe that the last release that supported iframes was 1.4.16. I downgraded to this version and it works fine for me. You can download old releases here.
from obsidian-api.
For now, the only solution seems to be bundling all of your CSS and JS into the HTML file that you are trying to distribute.
Until we can find a better way in Electron to make sure that pages can't access resources out of their folders I don't think we can safely allow this to happen.
MarkMind plugin is a revolutionary plugin for obsidian, you are killing it ...
from obsidian-api.
Related Issues (20)
- Bug: MarkdownRenderer.render does not add rendered links to metadataCache HOT 3
- Suggest making the README on GitHub link to the official Obsidian developer docs HOT 1
- Bug: the normalizePath function Unable to completely filter illegal characters HOT 1
- Bug: APIs such as readBinary and readLocalFile cannot read files larger than 150M on the mobile phone.
- Bug: `FileSystemAdapter.getFilePath` return type is incorrect HOT 4
- Bug: requestURL when body is arraybinary or formdata, I try to transform formdata to array put it in body of request, but failed. HOT 6
- Bug: Treating Longtime Users and Plugin Developers with Friendliness HOT 3
- Version 1.5.1 is not published on npmjs HOT 1
- Bug: `generateMarkdown`'s `alias` parameter has no effect for non-markdown files HOT 2
- Request: event for custom views to know if they are visible/hidden HOT 2
- Bug: MarkdownFileInfo.editor field access throws during initialization HOT 5
- Replace `any` with more specific types HOT 1
- Bug: type definition for ColorComponent is missing property with HtmlElement HOT 1
- Bug: Lack of upstream version of mermaid limits the diagram which can be used HOT 1
- Bug: `WorkspaceItem.getContainer()` always returns the root container HOT 4
- Request: built-in React components for modal settings HOT 1
- Bug: this.app.internalPlugins does not exist on type 'App' HOT 1
- Bug: processFrontMatter does not work if callback deletes all keys HOT 1
- Bug: `requestUrl()` and server-sent events HOT 4
- Bug: Link is duplicated in frontmatter cache when the link is in a footnote HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from obsidian-api.