ESH-Media

public/ESH-Media

Fork 0

Commit Graph

Author	SHA1	Message	Date
eshmeshek	1030622e19	fix(1.0.12): generalize OAuth popup for all providers, skip passive flows Two issues in 1.0.11: 1. YouTube auto-opens window.open on accounts.google.com/...?passive=true at page load to silently pick up an existing Google session via postMessage. Our setWindowOpenHandler routed these to a top-level popup where the postMessage parent context is missing → Google falls back to "JavaScript отключен". Active "Войти" clicks don't carry passive=true, so they still need the popup. 2. Only accounts.google.com was intercepted. Yandex, Mail.ru, Microsoft, VK, Apple and GitHub login pages run similar embedded-browser checks; in-place WebContentsView navigation to them would likely trip the same detectors. Replaced isGoogleLoginUrl/migrateGoogleCookies with a provider table (OAUTH_PROVIDERS by host, OAUTH_PATH_HOSTS by host+path-prefix) so any known login domain routes through the same clean popup + cookie-migration flow. passive=true URLs are filtered out so window.open auto-launches silently fail instead of popping a broken popup. LOGIN_PARTITION renamed persist:google-login → persist:oauth-login since it now holds login state for all providers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 01:11:29 +03:00
eshmeshek	1c7bb75a05	ESH-Media v1.0.11 — kiosk media browser for elderly users Electron-based kiosk desktop app: large-tile launcher for YouTube, RuTube, movie sites and Google services, designed for low-tech grandparent use. Features: - WebContentsView-per-app tabbed browsing with session persistence - per-app proxy routing (Clash/V2Ray friendly, useProxy flag) - cliqz-electron adblocker with whitelist for OAuth/integrity domains - TMDB-backed movie search across kinogo / hdrezka / filmix - bookmark posters auto-fetched from og:image / JSON-LD - electron-updater wired to Gitea releases API (latest.yml + .blockmap) - cross-domain navigation confirms via custom WebContentsView dialogs - kiosk window with hidden menu, Ctrl+Shift+I devtools shortcut - Trusted Types disabled engine-wide so adblocker scriptlets work on YouTube Google OAuth handling (the hard-won part): Google's anti-abuse JS rejects WebContentsView + custom session settings as "embedded browser". So accounts.google.com opens in a top-level BrowserWindow popup in a dedicated persist:google-login partition that we never call setProxy/setUserAgent on — it inherits Windows system proxy and the default Electron-tagged UA, both of which Google accepts. After login, .google.com/.youtube.com cookies migrate into the parent view's session and the view reloads to pick up the logged-in state. Session restore: only the last-active tab attaches to the window; other tabs load silently in the background and become instantly visible when the user clicks them in the sidebar. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 00:46:02 +03:00

Author

SHA1

Message

Date

eshmeshek

1030622e19

fix(1.0.12): generalize OAuth popup for all providers, skip passive flows

Two issues in 1.0.11:

  1. YouTube auto-opens window.open on accounts.google.com/...?passive=true
     at page load to silently pick up an existing Google session via
     postMessage. Our setWindowOpenHandler routed these to a top-level popup
     where the postMessage parent context is missing → Google falls back to
     "JavaScript отключен". Active "Войти" clicks don't carry passive=true,
     so they still need the popup.

  2. Only accounts.google.com was intercepted. Yandex, Mail.ru, Microsoft,
     VK, Apple and GitHub login pages run similar embedded-browser checks;
     in-place WebContentsView navigation to them would likely trip the same
     detectors.

Replaced isGoogleLoginUrl/migrateGoogleCookies with a provider table
(OAUTH_PROVIDERS by host, OAUTH_PATH_HOSTS by host+path-prefix) so any
known login domain routes through the same clean popup + cookie-migration
flow. passive=true URLs are filtered out so window.open auto-launches
silently fail instead of popping a broken popup.

LOGIN_PARTITION renamed persist:google-login → persist:oauth-login since
it now holds login state for all providers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-17 01:11:29 +03:00

eshmeshek

1c7bb75a05

ESH-Media v1.0.11 — kiosk media browser for elderly users

Electron-based kiosk desktop app: large-tile launcher for YouTube, RuTube,
movie sites and Google services, designed for low-tech grandparent use.

Features:
  - WebContentsView-per-app tabbed browsing with session persistence
  - per-app proxy routing (Clash/V2Ray friendly, useProxy flag)
  - cliqz-electron adblocker with whitelist for OAuth/integrity domains
  - TMDB-backed movie search across kinogo / hdrezka / filmix
  - bookmark posters auto-fetched from og:image / JSON-LD
  - electron-updater wired to Gitea releases API (latest.yml + .blockmap)
  - cross-domain navigation confirms via custom WebContentsView dialogs
  - kiosk window with hidden menu, Ctrl+Shift+I devtools shortcut
  - Trusted Types disabled engine-wide so adblocker scriptlets work on YouTube

Google OAuth handling (the hard-won part):
  Google's anti-abuse JS rejects WebContentsView + custom session settings
  as "embedded browser". So accounts.google.com opens in a top-level
  BrowserWindow popup in a dedicated persist:google-login partition that
  we never call setProxy/setUserAgent on — it inherits Windows system
  proxy and the default Electron-tagged UA, both of which Google accepts.
  After login, .google.com/.youtube.com cookies migrate into the parent
  view's session and the view reloads to pick up the logged-in state.

Session restore: only the last-active tab attaches to the window; other
tabs load silently in the background and become instantly visible when
the user clicks them in the sidebar.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-17 00:46:02 +03:00

2 Commits