-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: the obsidian v1.5.0 iframe not support local source ? #142
Comments
Yeah, we had to block these because they were a security vulnerability. What URL/origin is your iframe using? |
I put local source to |
Let me think about it - unfortunately the vulnerability involves loading a local html file into an iframe using which it would be able to read arbitrary local files through the app:// URIs. |
Hmm one workaround for now I can think of is to read the files and send them directly to the iframe. Alternatively you could embed them into the HTML. Both approaches are kinda tedious though. |
Indeed, but resources such as fonts and images still cannot be processed . Additionally, I think that there are potential issues ( plugin can access system resources ) with using plugins , Just block iframe doesn't seem to make much sense . ( My English is not very good, it's machine translation ) |
Can it be blocked in safe mode and allowed to load resources when the plugin is enabled ? |
Hello! The creator of Markmind has developed a remarkable product. They have implemented a feature that allows specific PDF annotations to link and jump to an Obsidian markdown page. I believe Markmind excellently complements Obsidian's functionality with PDFs. It would be unfortunate if, due to certain security updates, this product could no longer function fully. |
I think given most people are using some form of plugins it will offer zero protection for most people. I do have a potential solution, assuming you can load your iframe resources from the same folder as the frame html. |
That's great, how can i do it ? |
Unfortunately I tried a few things and they all turned out to have vulnerabilities or various ways that can be used to bypass. That means you'll need to find a way to embed your javascript and css files into the html directly... Sorry about that. |
ok |
I have this issue as well! How do you work around this? I have a bunch of plotly graphs I've been displaying this way... |
I have no idea , If users can choose whether to enable this feature, that would be great |
Same here ✌ |
the same issue, have any solution? |
For now, the only solution seems to be bundling all of your CSS and JS into the HTML file that you are trying to distribute. Until we can find a better way in Electron to make sure that pages can't access resources out of their folders I don't think we can safely allow this to happen. |
I'm using the singleFile browser plugin to crop it into an html how do I embed it and how do I tag this html file |
ok, can you tell me which obsidian version still supports iframe? I'm looking forward to your reply. |
I believe that the last release that supported iframes was 1.4.16. I downgraded to this version and it works fine for me. You can download old releases here. |
MarkMind plugin is a revolutionary plugin for obsidian, you are killing it ... |
Steps to reproduce:
The text was updated successfully, but these errors were encountered: