← Back to context

Comment by exceptione

2 days ago

A long time ago I figured that "nasty Obsidian plugins" were not a matter of if, but when.

So I did the (imho) only sensible thing, and run Obsidian in a sandbox (bwrap). By doing so, I also made sure it runs in a separate networking namespace. For now, I disallow any internet access.

The amount of rage I see here is a bit strange, the whole attraction of Obsidian is that you can turn it into a Swiss army knife (that can hurt you too ofc).

@kepano: you would greatly help me if you could force plugin authors to list the urls they want to access inside the manifest, then let the user per url decide if they want to enable it. I still see some stupid plugin authors download their assets from a CDN or a vague website, from deeply buried in their code. Making url depencies explicit helps firewall automation at a first step. Maybe you could revoke direct network access from plugins, but i am not too knowledgeable about Electron.

3 comments

exceptione

Reply
jedimastert  2 days ago

> So I did the (imho) only sensible thing, and run Obsidian in a sandbox (bwrap). By doing so, I also made sure it runs in a separate networking namespace. For now, I disallow any internet access.

> The amount of rage I see here is a bit strange

Serious question: do you think it is actually obvious and technically accessable to everyday people to have the thought "I should run this in a sandbox" and do it?

Like no this is not some super elite haxxr tool, it's a text editor pretty explicitly advertised as being non-technical-person-friendly.

  • exceptione  5 hours ago 

      > Serious question: do you think it is actually obvious and technically accessable to everyday people to have the thought "I should run this in a sandbox" and do it?

    I meant the HN crowd ofc. I assume the non-technical obsidian user would not be present here.

    You have a point though that non-technical people are screwed, but they have always been. Their whole lives and biometrics rest on Google and Apple servers anayways, while a good part of their identity is being traded by non-scrupulous commercial predators under the veil of advertising purposes. They are so beyond f*cked that I did not include their concerns wrt Obsidian plugins.

  • soco  2 days ago

    I haven't seen the term haxx0r since... ages! How are they called nowadays?