fix(1.0.6): strip Trusted Types CSP on YouTube/Google to unbreak adblocker

YouTube response sends Content-Security-Policy: require-trusted-types-for
'script' which blocks the cliqz adblocker's inline-script injection used
to neutralize YT's anti-adblock detection (52 "HTMLScriptElement was
directly modified and will not be executed" console errors).

Strip require-trusted-types-for and trusted-types directives from CSP
and CSP-Report-Only headers for youtube.com / youtu.be / google.com /
gmail.com (and subdomains) via onHeadersReceived on all 3 sessions.
Other CSP directives stay intact so site-level security boundaries hold.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

main.js

@@ -334,6 +334,20 @@ ipcMain.handle('check-update-now', async () => {
 
 // --- Window ---
 
+function attachDevToolsShortcut(webContents) {
+  // Ctrl+Shift+I / F12 open DevTools on this webContents.
+  // Always available so a kiosk machine can be debugged without un-kiosking.
+  webContents.on('before-input-event', (_e, input) => {
+    if (input.type !== 'keyDown') return;
+    const isDevToolsCombo =
+      (input.control && input.shift && (input.key === 'I' || input.key === 'i')) ||
+      input.key === 'F12';
+    if (isDevToolsCombo) {
+      try { webContents.openDevTools({ mode: 'detach' }); } catch (_) {}
+    }
+  });
+}
+
 async function createWindow() {
   mainWindow = new BrowserWindow({
     width: 1280,
@@ -347,6 +361,8 @@ async function createWindow() {
     },
   });
 
+  attachDevToolsShortcut(mainWindow.webContents);
+
   if (isDev) {
     mainWindow.loadURL(RENDERER_URL);
   } else {
@@ -506,19 +522,22 @@ async function restoreSession() {
     const sess = cfg.openedSession;
     if (!sess || !Array.isArray(sess.tabs) || !sess.tabs.length) return;
     console.log(`[session] restoring ${sess.tabs.length} tab(s), active=${sess.activeName}`);
-    // Spawn each saved tab by replaying create-view. ipcMain.emit triggers the handler
-    // synchronously; the view's loadURL is fire-and-forget. We chain via setTimeout to
-    // avoid stacking N loaders simultaneously.
+    // Spawn each saved tab by replaying create-view, sequentially with a small delay.
+    // Concurrent create-view calls in v1.0.3 caused races: multiple setLoader/addChild
+    // interleaved → some views ended up unmounted (white screen). Spacing them out
+    // gives each view time to mount before the next steals currentView.
+    const fakeEvent = { sender: mainWindow.webContents };
     for (const tab of sess.tabs) {
       if (!tab?.name || !tab?.url) continue;
-      ipcMain.emit('create-view', { sender: mainWindow.webContents }, tab.name, tab.url, tab.imageUrl || '', 1.0, !!tab.useProxy);
+      ipcMain.emit('create-view', fakeEvent, tab.name, tab.url, tab.imageUrl || '', 1.0, !!tab.useProxy);
+      await new Promise(r => setTimeout(r, 150));
     }
-    // After all spawned, the last one is `currentView`. Switch to the saved active if different.
+    // Switch to saved active if it isn't already the last-spawned (currentView).
     if (sess.activeName === 'home') {
-      ipcMain.emit('hide-view', { sender: mainWindow.webContents });
+      ipcMain.emit('hide-view', fakeEvent);
       sendOpenedApps('home');
     } else if (sess.activeName && sess.activeName !== currentView?.name) {
-      ipcMain.emit('show-view', { sender: mainWindow.webContents }, sess.activeName);
+      ipcMain.emit('show-view', fakeEvent, sess.activeName);
     }
   } catch (e) {
     console.warn('[session] restore failed:', e.message);
@@ -557,6 +576,7 @@ ipcMain.on('create-view', async (_event, name, url, imageUrl, _zoom, useProxy) =
   openedApps.push(appEntry);
   currentView = appEntry;
   view.setBounds(getViewBounds());
+  attachDevToolsShortcut(view.webContents);
 
   view.webContents.on('did-finish-load', () => {
     removeLoader();
@@ -1190,37 +1210,57 @@ app.whenReady().then(async () => {
   app.userAgentFallback = cleanUserAgent;
   session.defaultSession.setUserAgent(cleanUserAgent);
 
-  // Chrome version from the cleaned UA — used for client hints below
-  const chromeVerMatch = cleanUserAgent.match(/Chrome\/(\d+)/);
-  const chromeMajor = chromeVerMatch ? chromeVerMatch[1] : '128';
-  const secChUa = `"Not_A Brand";v="8", "Chromium";v="${chromeMajor}", "Google Chrome";v="${chromeMajor}"`;
+  // Add Referer to image requests so hotlink protection doesn't block them.
+  // (Sec-CH-UA spoofing was tried in 1.0.4 and caused white pages — reverted.
+  //  Google embedded-browser detection is now mitigated only via adblock whitelist
+  //  of gstatic/google-analytics/etc., which previously was being eaten silently.)
+  session.defaultSession.webRequest.onBeforeSendHeaders(
+    { urls: ['https://*/*', 'http://*/*'] },
+    (details, callback) => {
+      const headers = details.requestHeaders;
+      if (details.resourceType === 'image' && !headers['Referer'] && !headers['referer']) {
+        try {
+          const u = new URL(details.url);
+          headers['Referer'] = `${u.protocol}//${u.hostname}/`;
+        } catch (_) {}
+      }
+      callback({ requestHeaders: headers });
+    }
+  );
 
-  const installRequestHooks = (sess) => {
-    sess.webRequest.onBeforeSendHeaders(
-      { urls: ['https://*/*', 'http://*/*'] },
+  // Strip Trusted Types directives from CSP for sites that enforce them
+  // (YouTube, Gmail, etc.). The cliqz adblocker injects inline scriptlets to
+  // neutralize anti-adblock tricks; those injections use plain script.text
+  // assignment which TT blocks → "An HTMLScriptElement was directly modified
+  // and will not be executed" (52+ console errors on YouTube). Without TT
+  // the adblocker's scripts run and YouTube works normally.
+  const TT_STRIP_HOSTS = [
+    'youtube.com', 'youtu.be', 'youtubekids.com',
+    'google.com', 'gmail.com', 'mail.google.com',
+  ];
+  const stripTrustedTypes = (sess) => {
+    sess.webRequest.onHeadersReceived(
+      { urls: ['https://*/*'] },
       (details, callback) => {
-        const headers = details.requestHeaders;
-        // Spoof Sec-CH-UA so embedded-browser detectors (Google login, etc.) see
-        // a real-Chrome brand list. Electron normally injects the app name as
-        // the brand which is how Google fingerprints us as "embedded/unsafe".
-        headers['sec-ch-ua'] = secChUa;
-        headers['sec-ch-ua-mobile'] = '?0';
-        headers['sec-ch-ua-platform'] = '"Windows"';
-        // Add Referer to image requests so hotlink protection doesn't block them
-        if (details.resourceType === 'image' && !headers['Referer'] && !headers['referer']) {
-          try {
-            const u = new URL(details.url);
-            headers['Referer'] = `${u.protocol}//${u.hostname}/`;
-          } catch (_) {}
+        let host = '';
+        try { host = new URL(details.url).hostname; } catch {}
+        const match = TT_STRIP_HOSTS.some(d => host === d || host.endsWith('.' + d));
+        const headers = details.responseHeaders;
+        if (!match || !headers) return callback({});
+        for (const k of Object.keys(headers)) {
+          if (/^content-security-policy(-report-only)?$/i.test(k)) {
+            headers[k] = headers[k].map(v => v
+              .replace(/require-trusted-types-for[^;]*;?\s*/gi, '')
+              .replace(/trusted-types[^;]*;?\s*/gi, ''));
+          }
         }
-        callback({ requestHeaders: headers });
+        callback({ responseHeaders: headers });
       }
     );
   };
-
-  installRequestHooks(session.defaultSession);
-  installRequestHooks(getProxySession());
-  installRequestHooks(getDirectSession());
+  stripTrustedTypes(session.defaultSession);
+  stripTrustedTypes(getProxySession());
+  stripTrustedTypes(getDirectSession());
 
   // Apply proxy from config before blocker tries to download filter lists
   loadTrustedDomainsFromDisk();

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ESH-Media",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "private": true,
   "main": "main.js",
   "scripts": {

src/components/Header.tsx

@@ -290,14 +290,22 @@ const Header: React.FC<HeaderProps> = ({ activeApp, setActiveApp, onAppsChange,
         )}
       </div>
 
-      {updateStatus && updateStatus.state !== 'error' && (
-        <div className="update-banner">
+      {updateStatus && (
+        <div className={`update-banner${updateStatus.state === 'error' ? ' error' : ''}`}>
           {updateStatus.state === 'available' && (
             <>
               <span className="update-banner-spinner" />
               <span>Загружается обновление {updateStatus.version}{updateStatus.currentVersion ? ` (текущая ${updateStatus.currentVersion})` : ''}…</span>
             </>
           )}
+          {updateStatus.state === 'error' && (
+            <>
+              <span>Ошибка обновления: {updateStatus.message}</span>
+              <button className="update-banner-btn" onClick={() => window.electron?.checkUpdateNow?.()}>
+                Повторить
+              </button>
+            </>
+          )}
           {updateStatus.state === 'downloading' && (
             <>
               <span>Скачивается {updateStatus.version || 'обновление'}: {updateStatus.percent}%</span>

src/styles/main.css

@@ -1480,6 +1480,11 @@ body {
 }
 .update-banner-close:hover { color: #fff; }
 
+.update-banner.error {
+  border-color: rgba(229,9,20,0.5);
+  background: rgba(40,10,12,0.95);
+}
+
 .update-banner-progress {
   flex: 1;
   height: 4px;