fix(1.0.9): revert OAuth popup BrowserWindow — Google detects embedded popups

1.0.1 ("trusted-domains OAuth popups") changed setWindowOpenHandler to return action:'allow' with overrideBrowserWindowOptions for trusted domains (Google, Yandex, etc.), opening a real Electron BrowserWindow as popup. The reasoning was that OAuth flows need window.opener + postMessage. That's correct for some flows but wrong for YouTube-style login, which uses straight redirect. Worse: Google specifically detects popup-style embedded browsers (Electron BrowserWindow has distinct fingerprint vs real Chrome popup) and blocks them with "Возможно, этот браузер небезопасны". The user reported this stopped working after 1.0.0 — that's why. Restore the 1.0.0 behavior for trusted domains: deny the popup and call view.webContents.loadURL(newUrl) in the same view. The OAuth flow now happens as a normal in-place navigation: YouTube → accounts.google.com → (user logs in) → redirect back to YouTube. No popup, no fingerprint mismatch. The only UX loss is the popup window aesthetic; behavior is functionally identical and matches what worked in 1.0.0. Untrusted cross-domain still asks for confirmation, same-origin popups still navigate in-place — unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fix(1.0.8): strip cliqz adblocker preload — breaks CSP-strict sites
2026-05-16 22:31:37 +03:00 · 2026-05-16 22:24:47 +03:00
2 changed files with 34 additions and 21 deletions
--- a/main.js
+++ b/main.js
@@ -111,7 +111,27 @@ function getBlocker() {

 function enableBlockingInSession(sess) {
  getBlocker()
-    .then(b => { b.enableBlockingInSession(sess); console.log('[adblock] enabled for session'); })
+    .then(b => {
+      b.enableBlockingInSession(sess);
+      // Remove the cliqz preload script that the blocker just registered on this
+      // session. The preload injects inline <script> elements (via createTextNode +
+      // appendChild) to neutralize anti-adblock scripts, but:
+      //   • Strict-CSP sites (kinogo via Cloudflare, etc.) reject inline scripts
+      //     without a matching nonce → "Refused to execute inline script".
+      //   • Trusted-Types sites (YouTube, Gmail) reject `script.appendChild(text)`
+      //     → "HTMLScriptElement was directly modified" (52 errors).
+      // We keep the adblocker's network blocking and CSP filtering (via the still-
+      // attached webRequest hooks), losing only the niche scriptlet/cosmetic-DOM
+      // injection layer that breaks more sites than it helps.
+      const before = sess.getPreloads();
+      const after = before.filter(p => !/adblocker-electron-preload/i.test(p));
+      if (after.length !== before.length) {
+        sess.setPreloads(after);
+        console.log('[adblock] enabled for session (preload script disabled)');
+      } else {
+        console.log('[adblock] enabled for session');
+      }
+    })
    .catch(e => console.warn('[adblock] failed to enable:', e.message));
 }

@@ -639,37 +659,30 @@ ipcMain.on('create-view', async (_event, name, url, imageUrl, _zoom, useProxy) =
    trackNavigation(newUrl);
  });
  view.webContents.on('will-redirect', (_e, u) => trackNavigation(u));
-  view.webContents.setWindowOpenHandler(({ url: newUrl, frameName, features }) => {
+  view.webContents.setWindowOpenHandler(({ url: newUrl }) => {
    let newHostname = '';
    try { newHostname = new URL(newUrl).hostname; } catch (_) {}

-    // Trusted domain → open as real popup BrowserWindow with same session.
-    // This is what OAuth flows need: window.opener.postMessage() works,
-    // popup can close itself when done, parent stays on the original page.
+    // Trusted domain (Google, Yandex, etc.) → navigate IN-PLACE, no popup.
+    // 1.0.1 tried opening a real popup BrowserWindow here for OAuth postMessage
+    // flows — turns out Google specifically detects popup-style embedded
+    // browsers and blocks OAuth ("Возможно, этот браузер небезопасны").
+    // YouTube-style login uses standard redirect flow, so in-place navigation
+    // works AND avoids the popup fingerprint. 1.0.0 behavior, restored.
    if (newHostname && isTrustedDomain(newHostname)) {
-      return {
-        action: 'allow',
-        overrideBrowserWindowOptions: {
-          width: 520, height: 640,
-          parent: mainWindow,
-          autoHideMenuBar: true,
-          webPreferences: {
-            session: view.webContents.session,
-            contextIsolation: true,
-            nodeIntegration: false,
-          },
-        },
-      };
+      trackNavigation(newUrl);
+      view.webContents.loadURL(newUrl);
+      return { action: 'deny' };
    }

-    // Untrusted cross-domain → ask the user (original behavior).
+    // Untrusted cross-domain → ask the user.
    if (origHostname && newHostname && newHostname !== origHostname) {
      pendingNavigate = { view, url: newUrl };
      setConfirm(`Перейти на "${newHostname}"?`, 'navigate-confirmed');
      return { action: 'deny' };
    }

-    // Same-origin popup → just navigate the current view.
+    // Same-origin popup → navigate the current view.
    trackNavigation(newUrl);
    view.webContents.loadURL(newUrl);
    return { action: 'deny' };
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "ESH-Media",
-  "version": "1.0.7",
+  "version": "1.0.9",
  "private": true,
  "main": "main.js",
  "scripts": {