How can I change the CSP settings of Joplin (for iFrames)?

Operating system

macOS

Joplin version

3.0.15

Desktop version info

Joplin 3.0.15 (prod, darwin)

Client-ID: 6d237eab710c440b9e2fe07524facf9e
Sync-Version: 3
Profil-Version: 47
Unterstützter Schlüsselbund: Ja

Revision: 598677b

What issue do you have?

Hello!

I'm currently trying to evaluate Joplin to see if it could be useful for me.

An important feature would be to show other web pages within iframes - I have full control over these web pages and, thus, don't worry about any security concerns.

Since iframe elements are not directly supported by Markdown, I wrote a super simple plugin to render an iframe instead of a code block of type "iframe". And, indeed, the iframe element is shown, but the network request is blocked by the browser:

Refused to frame '...' because an ancestor violates the following Content Security Policy directive: "frame-ancestors *". Note that '*' matches only URLs with network schemes ('http', 'https', 'ws', 'wss'), or URLs whose scheme matches self's scheme. The scheme 'https:' must be added explicitly.

Therefore my question: how can I change the CSP settings of Joplin? Is there any "hidden" configuration option?

Thanks in advance for any help!

1 Like

What I already found out myself:

  • there seem to be two files named index.html within packages/app-desktop and packages/app-mobile/web/public where the CSP directive could be placed (despite the warning written there) - but that would require to rebuild everything?
  • there does not seem to be any kind of configuration file where the CSP could be inserted

Damn...

After a lot of trial and error, I managed to change the CSP settings within Joplin by adding/modifying the meta element for that setting - only to learn that

The Content Security Policy directive 'frame-ancestors' is ignored when delivered via a <meta> element.

Sometimes, I hate all these horrible constraints...

Ok, I give up: according to my current understanding, Joplin must explicitly support iframes by appropriate CSPs - I have not found any way to circumvent that.

However, I am also a complete Joplin newbie...

well, meanwhile, I gave up completely, switched to Obsidian (where iFrame embedding works out-of-the-box - iFrame sources may even be one's own note attachments: don't tell me anything about "security concerns"!), found a way to synchronize notes between devices for free within minutes ("for free" is important for my students) which means: I got everything I looked for.

I like the idea behind Joplin, and it seems pretty well done - but without iFrame embedding, it's just a better text editor.

Except for your post we never had this request before, thus the relatively low priority.

It is currently disallowed for security reasons (although this is really to prevent xss vulnerabilities). If there was enough demand for it we could investigate how to allow this particular use case and load remote content in a safe way.