[Publish] - Password broken with custom domain

Steps to reproduce

  1. Configure a new custom domain as described in the help doc
  2. If you’re not already using a password, create a new one
  3. Attempt to log in with your password on the custom domain

Expected result

Login succeeds

Actual result

Login fails with “Incorrect Password” error. Interestingly, accessing the site through the “old” URL (ie publish.obsidian.md/name) works fine. I’m guessing the password hash comparison is failing to lookup the vault correctly based on the custom domain.


  • Operating system: Windows 10
  • Obsidian version: 0.10.9
1 Like

I think I’ve specifically tested this and due to a CORS issue if you’ve visited your site from the original URL, which causes the resources to be cached, then visit it from your new custom domain URL, then the browser would improperly remember the CORS response from the cache, causing a failure.

Clearing your browser cache should resolve this issue. If it does not, remove your password and add it again, then clear your browser cache. This should force our server-side cache to clear.

As a visitor, if they don’t visit your site using the old URL, they should never run into this issue.

Unfortunately this doesn’t seem to resolve the issue. I have even downloaded a new browser (I was meaning to try Brave anyway…) and am having the same issue. Other suggestions are certainly welcome, and thanks for your help!

1 Like

Dear @Licat,
I have exactly the same issue.
There seems to be another issue with this. I have deleted the password and made a totally new password. It does not work. I have done all the processes as you mentioned in response to @brush701 and I had the same result as his.
Please help me fix this issue because my teammates are expecting it to be solved and I really am relying on Obsidian.

If you open the website using another browser, does it work?

On a side note, I don’t think it’s wise to rely for critical production work on a feature that is still in insider build.


After some additional testing you guys are right, there’s another case of cross domain access permissions that I missed for verifying the password.

I have just patched the issue and deployed a fix. It seems to have resolved the issue in my testing. Let me know if this is true for you guys.

Thank you so much @Licat for the prompt action. and thank’s to @WhiteNoise for his advice.
Yes, it got fixed. But a new problem appeared. Since it got fixed in my browser when I go to another browser or I test it from different devices (e.g. Safari, iPhone browser, Chrome from another android phone) the password works, but the page will take an eternity and does not load. Please see if it can be fixed.
Many thanks again.

I can confirm that although the password is now accepted, the page hangs on the loading screen with the Obsidian icon. Everything still loads normally when accessed via the original publish domain.

Can one of you private message me your site information & password so I can test this?

Also just to make sure, if you block third party cookies, the password won’t be properly remembered to grant you access to site files, which may be why the page keeps loading (because your browser has blocked saving the password).

1 Like

Got fixed.
As I experienced both with chrome and safari, cross-site tracking should not be prevented. On safari, we should uncheck the “prevent cross-site tracking” in “Preferences”, then the site loads and works properly.
The problem is that many users (audiences) are not that familiar with these settings and their browser is preventing cross-site tracking by default. I do not know if there is a solution for that or not.