fix(1.0.12): skip passive Google sign-in popups

YouTube auto-opens window.open on accounts.google.com/...?passive=true&...
at page load to silently pick up an existing Google session via postMessage.
Our setWindowOpenHandler was routing these to the OAuth popup, where Google
detects no parent context and shows "JavaScript отключен".

Tighten isGoogleLoginUrl to exclude passive=true URLs — let them get denied
without a popup. Active "Войти" clicks have no passive flag and continue
to open the popup as before.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

main.js

@@ -641,8 +641,19 @@ const LOGIN_PARTITION = 'persist:google-login';
 
 function isGoogleLoginUrl(u) {
   try {
-    const h = new URL(u).hostname;
+    const url = new URL(u);
-    return h === 'accounts.google.com' || h.endsWith('.accounts.google.com');
+    const h = url.hostname;
+    if (h !== 'accounts.google.com' && !h.endsWith('.accounts.google.com')) return false;
+    // YouTube (and other Google products) silently call window.open on
+    // accounts.google.com/...?passive=true&... when the page first loads to
+    // pick up an existing session via postMessage. That flow doesn't work in a
+    // top-level popup (no parent context → Google shows "JavaScript отключен").
+    // Skip the popup for these — they only matter if the user happens to
+    // already be logged in elsewhere, which won't be the case on a fresh
+    // partition anyway. Active login (user clicks "Войти") never has
+    // passive=true, so it still routes through openLoginPopup.
+    if (url.searchParams.get('passive') === 'true') return false;
+    return true;
   } catch (_) { return false; }
 }
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ESH-Media",
-  "version": "1.0.11",
+  "version": "1.0.12",
   "private": true,
   "main": "main.js",
   "scripts": {