Bug: the obsidian v1.5.0 iframe not support local source ? #142
Comments
MarkMindCkm
changed the title
|
Yeah, we had to block these because they were a security vulnerability. What URL/origin is your iframe using? |
I put local source to |
|
Let me think about it - unfortunately the vulnerability involves loading a local html file into an iframe using which it would be able to read arbitrary local files through the app:// URIs. |
|
Hmm one workaround for now I can think of is to read the files and send them directly to the iframe. Alternatively you could embed them into the HTML. Both approaches are kinda tedious though. |
Indeed, but resources such as fonts and images still cannot be processed . Additionally, I think that there are potential issues ( plugin can access system resources ) with using plugins , Just block iframe doesn't seem to make much sense . ( My English is not very good, it's machine translation ) |
|
Can it be blocked in safe mode and allowed to load resources when the plugin is enabled ? |
Hello! The creator of Markmind has developed a remarkable product. They have implemented a feature that allows specific PDF annotations to link and jump to an Obsidian markdown page. I believe Markmind excellently complements Obsidian's functionality with PDFs. It would be unfortunate if, due to certain security updates, this product could no longer function fully. |
|
I think given most people are using some form of plugins it will offer zero protection for most people. I do have a potential solution, assuming you can load your iframe resources from the same folder as the frame html. |
That's great, how can i do it ? |
|
Unfortunately I tried a few things and they all turned out to have vulnerabilities or various ways that can be used to bypass. That means you'll need to find a way to embed your javascript and css files into the html directly... Sorry about that. |
ok |
|
I have this issue as well! How do you work around this? I have a bunch of plotly graphs I've been displaying this way... |
I have no idea , If users can choose whether to enable this feature, that would be great |
Same here ✌ |
|
the same issue, have any solution? |
|
For now, the only solution seems to be bundling all of your CSS and JS into the HTML file that you are trying to distribute. Until we can find a better way in Electron to make sure that pages can't access resources out of their folders I don't think we can safely allow this to happen. |
|
I'm using the singleFile browser plugin to crop it into an html how do I embed it and how do I tag this html file |
ok, can you tell me which obsidian version still supports iframe? I'm looking forward to your reply. |
I believe that the last release that supported iframes was 1.4.16. I downgraded to this version and it works fine for me. You can download old releases here. |
MarkMind plugin is a revolutionary plugin for obsidian, you are killing it ... |
Steps to reproduce:
The text was updated successfully, but these errors were encountered: