Content-Security-Policy header in Obsidian 1.5.3 breaks plugin

Developers: Plugin & API
1

Steps to reproduce

  1. Install old version of Obsidian 1.4

  2. Install plugin: drawio-obsidian

  3. Create a new diagram using the plugin

  4. Update Obsidian from 1.4 to 1.5

  5. Re-open or Create new diagram using the plugin

  6. The edittor can’t render draw.io

Did you follow the troubleshooting guide? [Y/N]

Yes

The bug is reproducable.

Expected result

The plugin should be able to render draw.io within Obsidian

Actual result

A blank draw.io, can’t use the plugin

Environment

SYSTEM INFO:
	Obsidian version: v1.5.3
	Installer version: v1.4.16
	Operating system: #101~20.04.1-Ubuntu SMP Thu Nov 16 14:22:28 UTC 2023 5.15.0-91-generic
	Login status: not logged in
	Insider build toggle: off
	Live preview: on
	Base theme: adapt to system
	Community theme: none
	Snippets enabled: 0
	Restricted mode: off
	Plugins installed: 1
	Plugins enabled: 1
		1: Diagrams v1.1.0

RECOMMENDATIONS:
	Community plugins: for bugs, please first try updating all your plugins to latest. If still not fixed, please try to make the issue happen in the Sandbox Vault or disable community plugins.

Additional information

I’m not the plugin developer.
It issue has been resolved temperory by an edit right now. But need Obsidian to update.
Please read the issue on github. I explained in detail how to fix, and what happened there.

Plugin Github issue: New Release? Everything broken in new Obsidian. · Issue #89 · zapthedingbat/drawio-obsidian · GitHub

Related images

image
image1350×217 35.2 KB

image

2

This is not a bug. For security reasons, themes(css) cannot load remote resources https://docs.obsidian.md/Themes/App+themes/Embed+fonts+and+images+in+your+theme. This is enforced in 1.5.x with that CSP header and we are not going to remote it.

Moved to developers and api.

1 Like
3

Does Obsidian allow a way to inject allowed sites to conform to the CSP for this very reason?

While plugins should not be able to load external resources, would it not make sense to allow control over Obsidian’s CSP header for this very reason?

In this example, the plugin allows any family font from Google’s API to be pulled in. It is not realistic to Embed all of those into the theme; It is also a risk to the plugin developers via licensing to embed a non-complaint font into their application if it is packaged, but pulling it in doesn’t open up that liability.