Iframe non-functional in Publish

Jensu · 2021-02-19T12:03:35.813Z

Hi all,

Yesterday I signed up for obsidian Publish with the intention of using it to host and share my research notes. To save space, I’m linking alot to a sharepoint drive, including embedding Powerpoints in iframes. This works perfectly in Obsidian Desktop, but fails in Obsidian Publish.

Both the sharepoint site AND a random news website fails to load, once published.

Anyone here have experience with this problem?

image706×602 3.84 KB

UPDATE:

I can see that the error is related to the Content Security Policy of the target site:

Refused to frame 'https://kadk-my.sharepoint.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.stream.azure-test.net *.microsoftstream.com".

This is what was adressed in 0.11.1 in the desktop version. Maybe the fix is going to be implemented in Publish to?

Licat · 2021-02-20T00:42:37.936Z

Yeah unfortunately this is only possible if the target site you’ve embedded allows embedding.

In Obsidian, because we control the full browser, we’ve implemented measures to “bypass” these additional directives to prevent sites from being embedded. Since your site viewer’s browser does not have those bypasses and enforces proper browser security, they correctly block the embedding.

These kind of measures are typically added to prevent “clickjacking” whereby a malicious website embeds another website and put a transparent layer of controls on top of it to steal users passwords. I don’t think there’s a way to bypass that from your published site unfortunately.

Jensu · 2021-02-22T09:35:27.328Z

Right. Thank you for the explanation.
Can’t complain about security

I managed to get a slight “work-around” going, specifically for Powerpoint Presentations, since they ARE allowed to be embedded, but only in presentation view.

So adding

&action=embedview

to the iframe link, allows me to preview the full presentation from within Obsidian, with videos etc. working. So definitly closer to what I hoped for.