I was thinking about creating a rule that only allows Obsidian to update itself and fetch plugins – to reduce potential for harm from 3rd party plugins.
What domains would I need to whitelist to allow Obsidian to update itself and display plugin marketplace (and download/update plugins, of course)?
I think it just uses GitHub for all of that. You could also allow obsidian.md and its subdomains (you’ll definitely need to if you use Publish or Sync).
Thanks. I already whitelisted github with its subdomains, but I noticed that for some things, like getting a list of available themes, it was not enough…
In addition to github.com,
raw.githubusercontent.com is used for community plugins and themes. Looks like
avatars.githubusercontent.com as well.
There may be more, but this is what I see currently for Obsidian:
Thank you very much. What application is that on your screenshot? Some firewall?
Yes, it’s Little Snitch on macOS.
Looks nice. I am not a fan of LuLu’s interface, and it’s network monitor crashes constantly. But I like that it’s FOSS. Tempted to get this Little Snitch though.
May I ask please:
- What is
api.obsidian.md used for? Sync? Sync only?
- Why does the app have to connect to
- What does it fetch from
shields.io for cosmetic elements only?
Are any of these telemetry?
Generally, which of these can I block safely if I only want updates and pluging/theme browsing?
Thank you very much.