Can iframe sandbox restrictions be removed via a plugin?

iframe elements inside a note have some limitations in the preview. They are sandboxed with the following parameters:

sandbox = "allow-forms allow-presentation allow-same-origin allow-scripts allow-modals"

but it does not include the permissions "allow-popups" or "allow-popups-to-escape-sandbox"

I’m sure there are pretty good reasons for this, but it is inconvenient in some scenarios in which the iframe requires some kind of user login. For example:

  • iframes to preview private documents stored in OneDrive or similar cloud services
  • iframes to play spotify playlists (without login, the playback is limited to 10 seconds per song)

These frames show a button for logging in, but when the button is pressed nothing happens (and the JS console shows the error Blocked opening '<URL>' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.

Of course, adding sandbox="allow-popups allow-popups-to-escape-sandbox" in the markdown does not work, because (I presume) Obsidian sanitizes it and removes those options in the preview.

My specific question is: is this “sanitization” (to ensure iframe restrictions) applied also in the code generated via a plugin?

Because if this is not the case, a plugin could be written to search for specially marked content and replace it with an iframe with the appropriate permissions, allowing thus the proper working of cases as the ones mentioned above.

5 Likes

I’d like to login to Apple Music and Spotify to add songs and playlists too but it doesn’t work :frowning:

I also need to embed iframes with Miro, Figma and other things and log into them.

Is there any chance to do anything with it?

1 Like

bumping this, i need allow-pointer-lock

I need embeds from Are.na, Raindrop and rarely from iTunes Music… is sandbox="allow-popups option…

2 Likes

I just encountered this error trying to add a photopea.com iframe. My thought had been to add a photo editor inside my note so I could edit images without leaving obsidian.

tl;dnr The short version is I am getting a message opener is null when I try to login to photopea in Obsidian using an iframe, or using the surfing plugin or the open gate plugin.

A naive attempt is blocked because obsidian had iframe sandbox restrictions. I get this message in the console:

Blocked opening ‘’ in a new window because the request was made in a sandboxed frame whose ‘allow-popups’ permission is not set.

There are some plugins that allow surfing, and if I use those I can get the login modal. If I try to login via google say, I get the choose email page and then if I login in it shows a “Photopea says Opener is Null” message modal with no message in the console. If I close that I am sent to the “You can now close this window page,” but in fact when I return to the iframe, nothing has happened. This makes me think it is not merely an iframe issue.

Under some circumstances trying to login sends me out of obsidian into my browser, but I still get the opener null message, so that is not coming from obsidian. I thought it was because it was opening in a different tab, but even if set it to load in the same tab, I get the message.

1 Like