Security considerations

[crxo]

This looks like a really exciting plug-in that I’m excited to try with Actions for Obsidian. But first, I wanted to fully understand the security considerations. I apologise if this has already been documented. I couldn’t find anything, so please point me in the right direction.

Primarily, on iOS, is it possible that other apps could modify or get information from my Vault using the action uri and callback?

Also, could a malicious website craft a url to modify my vault? Would they also be able to get it to callback to a url they control?

Thanks so much for your work on this plugin.

[czottmann]

@crxo All good questions! 👍🏼

on iOS, is it possible that other apps could modify or get information from my Vault using the action uri and callback?

Actions URI utilizes Obsidian's own URI scheme, i.e. its built-in API. Basically, Obsidian sets up the possibility for other apps to call an obsidian://… URL, and an installed Obsidian plugin can register new paths under that URL, like obsidian://actions-uri/…. When a call comes in, Obsidian will relay it to the plugin, and whatever should happen with that incoming request is the responsibility of the plugin.

But the Obsidian API is URI-based, meaning API calls are URLs just like https://…, just that the receiver isn't a browser but Obsidian. But that means that an app which wants to call Obsidian can only tell iOS/macOS to open that URI, and the OS knows which app can handle it. In the case of iOS, it'll show an alert the first time an app tries to do that, asking the user whether or not to allow it. So if an app is trying to make an Obsidian API call, you'll be notified, and then you'll have a choice.

Also, could a malicious website craft a url to modify my vault? Would they also be able to get it to callback to a url they control?

Theoretically, yes. But for the same reasons stated above, the browser will ask you whether you want to allow that.

Let me know if you have more questions, or stop on by on the forum!