New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Concern #54
Comments
Hi, thanks for your inquiry! Custom Frames does not have any custom security management, nor are there plans to add any. The ability to access the sites you're browsing is not exclusive to Custom Frames, as the same security concerns arise when simply using an If you're concerned about your personal data when using this plugin, I advise not installing any additional plugins by authors you don't trust, or always checking the plugins' source code for anything that could be malicious. Finally, the request to use a custom user-agent is being tracked in #26. |
Hi, thanks for your quick response. I would like to clarify that the difference between using Chrome Extensions is that Google regularly reviews the extensions provided on its Web Store and even go further to provide approval seals to some of those. Other than that, we have explicit permission control on those extensions in the web browser. Such precautions are not taken in Obsidian's plugin store nor there is any permission control provided. Many Obsidian users including myself are using several 3rd party plugins and I believe we need to find a solution with the help of @obsidianmd (@lishid, @ericaxu, @liamcain, etc.) since not everyone is technical and the responsibility of their data safety is on us. I'm quite busy, but if I find some time to do something about this, I'd send a PR on your way ;) For now, I'm going to use this plugin for static websites, but I don't feel comfortable connecting my Google account in order to pin my Calendar. |
I'll briefly reopen this issue because I think it makes a lot of sense to add a notice when first adding a custom frame that informs the user about the security implications related to their personal data on websites. |
Additionally, I think web data security is a broader issue that also relates to the use of iframes and other plugins that involve the inputting of personal data for use in websites, like the Kindle and Todoist plugins. In my opinion, it would make the most sense to open a discussion about this on the Obsidian forum, where a more generalized solution for plugin developers (and plugin users) can be discussed. |
@samariafar Unfortunately it is practically impossible to secure plugins without severely crippling the API - For more details read the thread on the forum here. In the end it really depends on your threat model, how much trust the plugin authors, how comfortable you are with using programs downloaded from the internet, how much work you are willing to put in to audit plugin code, and how much you value convenience. I don't think this can be solved by Obsidian or this plugin. |
Could not agree more with the view expressed here! |
Hi! The creator of Obsidian, lishid, has already answered this question above, and linked to a forum thread where this issue can be discussed in greater detail. This is not an issue for Custom Frames to deal with or attempt to fix. Since this issue is linked in the plugin's settings as a reference for any security concerns users might have, I want it to be kept as clean as possible, and as such, I'm going to lock it for now. |
I'd like to know if you have adopted any procedure to prevent 3rd party Obsidian plugins to access & manipulate data on web view sessions, as it can bring serious security issues while we are signed in to our accounts. Therefore, I suppose any process in the Electron app is able to access sensitive information such as emails if they are instructed to do so.
Other than that, I expected the sessions to be isolated between each web view as well, but that's not the case.
And finally, I rather see the actual User-Agent in Google activity logs than "Chrome" which makes the ACL review easier.
The text was updated successfully, but these errors were encountered: