fix(1.0.9): revert OAuth popup BrowserWindow — Google detects embedded popups

1.0.1 ("trusted-domains OAuth popups") changed setWindowOpenHandler to
return action:'allow' with overrideBrowserWindowOptions for trusted
domains (Google, Yandex, etc.), opening a real Electron BrowserWindow
as popup. The reasoning was that OAuth flows need window.opener +
postMessage. That's correct for some flows but wrong for YouTube-style
login, which uses straight redirect.

Worse: Google specifically detects popup-style embedded browsers
(Electron BrowserWindow has distinct fingerprint vs real Chrome popup)
and blocks them with "Возможно, этот браузер небезопасны". The user
reported this stopped working after 1.0.0 — that's why.

Restore the 1.0.0 behavior for trusted domains: deny the popup and call
view.webContents.loadURL(newUrl) in the same view. The OAuth flow now
happens as a normal in-place navigation: YouTube → accounts.google.com
→ (user logs in) → redirect back to YouTube. No popup, no fingerprint
mismatch. The only UX loss is the popup window aesthetic; behavior is
functionally identical and matches what worked in 1.0.0.

Untrusted cross-domain still asks for confirmation, same-origin popups
still navigate in-place — unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

main.js

@@ -659,37 +659,30 @@ ipcMain.on('create-view', async (_event, name, url, imageUrl, _zoom, useProxy) =
     trackNavigation(newUrl);
   });
   view.webContents.on('will-redirect', (_e, u) => trackNavigation(u));
-  view.webContents.setWindowOpenHandler(({ url: newUrl, frameName, features }) => {
+  view.webContents.setWindowOpenHandler(({ url: newUrl }) => {
     let newHostname = '';
     try { newHostname = new URL(newUrl).hostname; } catch (_) {}
 
-    // Trusted domain → open as real popup BrowserWindow with same session.
-    // This is what OAuth flows need: window.opener.postMessage() works,
-    // popup can close itself when done, parent stays on the original page.
+    // Trusted domain (Google, Yandex, etc.) → navigate IN-PLACE, no popup.
+    // 1.0.1 tried opening a real popup BrowserWindow here for OAuth postMessage
+    // flows — turns out Google specifically detects popup-style embedded
+    // browsers and blocks OAuth ("Возможно, этот браузер небезопасны").
+    // YouTube-style login uses standard redirect flow, so in-place navigation
+    // works AND avoids the popup fingerprint. 1.0.0 behavior, restored.
     if (newHostname && isTrustedDomain(newHostname)) {
-      return {
-        action: 'allow',
-        overrideBrowserWindowOptions: {
-          width: 520, height: 640,
-          parent: mainWindow,
-          autoHideMenuBar: true,
-          webPreferences: {
-            session: view.webContents.session,
-            contextIsolation: true,
-            nodeIntegration: false,
-          },
-        },
-      };
+      trackNavigation(newUrl);
+      view.webContents.loadURL(newUrl);
+      return { action: 'deny' };
     }
 
-    // Untrusted cross-domain → ask the user (original behavior).
+    // Untrusted cross-domain → ask the user.
     if (origHostname && newHostname && newHostname !== origHostname) {
       pendingNavigate = { view, url: newUrl };
       setConfirm(`Перейти на "${newHostname}"?`, 'navigate-confirmed');
       return { action: 'deny' };
     }
 
-    // Same-origin popup → just navigate the current view.
+    // Same-origin popup → navigate the current view.
     trackNavigation(newUrl);
     view.webContents.loadURL(newUrl);
     return { action: 'deny' };

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ESH-Media",
-  "version": "1.0.8",
+  "version": "1.0.9",
   "private": true,
   "main": "main.js",
   "scripts": {