iframe elements inside a note have some limitations in the preview. They are sandboxed with the following parameters:
sandbox = "allow-forms allow-presentation allow-same-origin allow-scripts allow-modals"
but it does not include the permissions "allow-popups" or "allow-popups-to-escape-sandbox"
I’m sure there are pretty good reasons for this, but it is inconvenient in some scenarios in which the iframe requires some kind of user login. For example:
- iframes to preview private documents stored in OneDrive or similar cloud services
- iframes to play spotify playlists (without login, the playback is limited to 10 seconds per song)
These frames show a button for logging in, but when the button is pressed nothing happens (and the JS console shows the error Blocked opening '<URL>' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.
Of course, adding sandbox="allow-popups allow-popups-to-escape-sandbox" in the markdown does not work, because (I presume) Obsidian sanitizes it and removes those options in the preview.
My specific question is: is this “sanitization” (to ensure iframe restrictions) applied also in the code generated via a plugin?
Because if this is not the case, a plugin could be written to search for specially marked content and replace it with an iframe with the appropriate permissions, allowing thus the proper working of cases as the ones mentioned above.
