lishid
commented
7 months ago Yeah, we had to block these because they were a security vulnerability. What URL/origin is your iframe using?
Open MarkMindCkm opened 7 months ago
lishid
commented
7 months ago Yeah, we had to block these because they were a security vulnerability. What URL/origin is your iframe using?
MarkMindCkm
commented
7 months ago Yeah, we had to block these because they were a security vulnerability. What URL/origin is your iframe using?
I put local source to .obsidian of vault ,
then use this.app.vault.adapter.getResourcePath('.obsidian/web/viewer.html'); to create a iframe url ,
Css and js are referenced in the iframe
lishid
commented
7 months ago Let me think about it - unfortunately the vulnerability involves loading a local html file into an iframe using which it would be able to read arbitrary local files through the app:// URIs.
lishid
commented
7 months ago Hmm one workaround for now I can think of is to read the files and send them directly to the iframe. Alternatively you could embed them into the HTML. Both approaches are kinda tedious though.
MarkMindCkm
commented
7 months ago Hmm one workaround for now I can think of is to read the files and send them directly to the iframe. Alternatively you could embed them into the HTML. Both approaches are kinda tedious though.
Indeed, but resources such as fonts and images still cannot be processed .
Additionally, I think that there are potential issues ( plugin can access system resources ) with using plugins , Just block iframe doesn't seem to make much sense .
( My English is not very good, it's machine translation )
MarkMindCkm
commented
7 months ago Can it be blocked in safe mode and allowed to load resources when the plugin is enabled ?
jiangnanqw12
commented
6 months ago Hmm one workaround for now I can think of is to read the files and send them directly to the iframe. Alternatively you could embed them into the HTML. Both approaches are kinda tedious though.
Hello! The creator of Markmind has developed a remarkable product. They have implemented a feature that allows specific PDF annotations to link and jump to an Obsidian markdown page. I believe Markmind excellently complements Obsidian's functionality with PDFs. It would be unfortunate if, due to certain security updates, this product could no longer function fully.
lishid
commented
6 months ago I think given most people are using some form of plugins it will offer zero protection for most people. I do have a potential solution, assuming you can load your iframe resources from the same folder as the frame html.
MarkMindCkm
commented
6 months ago I think given most people are using some form of plugins it will offer zero protection for most people. I do have a potential solution, assuming you can load your iframe resources from the same folder as the frame html.
That's great, how can i do it ?
lishid
commented
6 months ago Unfortunately I tried a few things and they all turned out to have vulnerabilities or various ways that can be used to bypass. That means you'll need to find a way to embed your javascript and css files into the html directly... Sorry about that.
MarkMindCkm
commented
6 months ago Unfortunately I tried a few things and they all turned out to have vulnerabilities or various ways that can be used to bypass. That means you'll need to find a way to embed your javascript and css files into the html directly... Sorry about that.
ok
cirida
commented
5 months ago I have this issue as well! How do you work around this? I have a bunch of plotly graphs I've been displaying this way...
MarkMindCkm
commented
5 months ago I have this issue as well! How do you work around this? I have a bunch of plotly graphs I've been displaying this way...
I have no idea , If users can choose whether to enable this feature, that would be great
vskorjanc
commented
5 months ago I have this issue as well! How do you work around this? I have a bunch of plotly graphs I've been displaying this way...
Same here ✌
calandradas
commented
4 months ago the same issue, have any solution? i've tried to wirte a local http server to load the iframe resources, but my case is a rich client application, the performance is too poor, and the local http server security risk still remains. Will obsidian future versions open 'iframe load local resource' ? Thanks !
lishid
commented
4 months ago For now, the only solution seems to be bundling all of your CSS and JS into the HTML file that you are trying to distribute.
Until we can find a better way in Electron to make sure that pages can't access resources out of their folders I don't think we can safely allow this to happen.
idewindy
commented
3 months ago I'm using the singleFile browser plugin to crop it into an html how do I embed it and how do I tag this html file
zfyangc
commented
3 months ago Yeah, we had to block these because they were a security vulnerability. What URL/origin is your iframe using?
ok, can you tell me which obsidian version still supports iframe? I'm looking forward to your reply.
vskorjanc
commented
3 months ago ok, can you tell me which obsidian version still supports iframe? I'm looking forward to your reply.
I believe that the last release that supported iframes was 1.4.16. I downgraded to this version and it works fine for me. You can download old releases here.
justarmadillo
commented
1 month ago For now, the only solution seems to be bundling all of your CSS and JS into the HTML file that you are trying to distribute.
Until we can find a better way in Electron to make sure that pages can't access resources out of their folders I don't think we can safely allow this to happen.
MarkMind plugin is a revolutionary plugin for obsidian, you are killing it ...
Steps to reproduce: