mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-04-25 17:14:57 +02:00
8bd4ab1cbf
* fix: resolve YouTube 'sign in to confirm' bot-check in embed panels YouTube was showing a bot-verification prompt in the LiveWebcamsPanel and LiveNewsPanel despite the user being logged into YouTube in the same browser session. LiveWebcamsPanel (primary fix): - Changed embed domain from youtube-nocookie.com to youtube.com. The nocookie domain deliberately strips all cookies, so YouTube can never verify a signed-in session. - Removed sandbox attribute which blocked the Storage Access API (allow-storage-access-by-user-activation was missing). - Added storage-access to iframe allow attribute. LiveNewsPanel: - renderDesktopEmbed now passes origin and parentOrigin query params so postMessage is not silently dropped by the embed. - Added storage-access to iframe allow attribute. - Fixed MutationObserver target: was watching this.playerElement but YT.Player(domElement) replaces that div in its parent, so the observer never fired. Now observes playerContainer with a YouTube iframe filter, and YT.Player receives the element ID string so the iframe is inserted as a child of the div instead. local-api-server.mjs (youtube-embed handler): - MutationObserver patches inner YouTube iframe with storage-access. - Added Permissions-Policy: storage-access=* response header. - Embed page calls document.requestStorageAccess() on load. api/youtube/embed.js (Vercel/edge path): - Added tauri://localhost to ALLOWED_PARENT_ORIGINS. - Added Permissions-Policy: storage-access=* response header. - Embed page calls document.requestStorageAccess() on load. * fix(pr-review): address review feedback on YouTube Storage Access API changes - LiveWebcamsPanel: tested allow-storage-access-by-user-activation sandbox token as suggested; reverted — Chrome silently blocks Storage Access API even with the token present. Documented why sandbox removal is the only working approach. - LiveWebcamsPanel: added comment documenting youtube-nocookie→youtube.com privacy trade-off as intentional. - LiveNewsPanel: wrap YT.Player constructor in try/catch to disconnect storageObserver on error; add 10 s auto-disconnect timeout to prevent leaks. - embed.js + local-api-server.mjs: scope permissions-policy storage-access to self + youtube.com rather than *. - embed.js + local-api-server.mjs: add gesture-gated requestStorageAccess() fallback on first user interaction. - embed.js: remove duplicate tauri://localhost from ALLOWED_PARENT_ORIGINS (already covered via ALLOWED_ORIGINS spread). * fix(review): gate sidecar patch on storage-access, revert web webcam path 1. Sidecar MutationObserver: gate iframe patch on storage-access absence instead of autoplay absence. If YouTube ships iframes with autoplay already present, the old check would skip adding storage-access entirely. 2. Web webcam path: revert to youtube-nocookie.com and restore sandbox. The raw YouTube iframe cannot call requestStorageAccess() (no controlled bridge document), so switching to youtube.com only regressed privacy and sandbox security without actually fixing the bot-check. --------- Co-authored-by: Elie Habib <elie.habib@gmail.com>