commit 4fb4eeef6b2d6ec3fe7ab59c801f34ec9f834cbb
parent dfb1c7703e55902671d1533d166115f46233b2c6
Author: Zach Rice <bynxmusic@gmail.com>
Date: Mon, 18 May 2026 18:17:46 -0400
Fix OAuth popups by inverting user-gesture check in createview()
The createview() handler blocked NAVIGATION_TYPE_OTHER requests with
is_user_gesture=true, which is exactly the case for OAuth window.open()
calls. Invert the check so user-initiated popups are allowed and
script-spawned ones are blocked. Also handle user-gesture OTHER
navigations in decidenewwindow() instead of silently dropping them.
Diffstat:
2 files changed, 57 insertions(+), 8 deletions(-)
diff --git a/patches/surf-oauth-popups.diff b/patches/surf-oauth-popups.diff
@@ -0,0 +1,48 @@
+Description: Fix OAuth popups (window.open) being blocked
+OAuth login flows use window.open() which WebKit reports as NAVIGATION_TYPE_OTHER
+with is_user_gesture=true. The createview() logic was inverted — it blocked
+user-gesture popups and allowed non-user-gesture ones. Additionally,
+decidenewwindow() silently dropped all OTHER-type navigations.
+
+This patch inverts the createview() check so user-initiated popups are allowed,
+and adds handling in decidenewwindow() to open a new window for user-gesture
+OTHER navigations.
+
+Apply: patch -p1 < patches/surf-oauth-popups.diff
+Unpatch: patch -R -p1 < patches/surf-oauth-popups.diff
+
+diff --git a/surf.c b/surf.c
+index 73eefe7..69497ed 100644
+--- a/surf.c
++++ b/surf.c
+@@ -1293,13 +1293,8 @@ createview(WebKitWebView *v, WebKitNavigationAction *a, Client *c)
+ Client *n;
+
+ switch (webkit_navigation_action_get_navigation_type(a)) {
+- case WEBKIT_NAVIGATION_TYPE_OTHER: /* fallthrough */
+- /*
+- * popup windows of type “other” are almost always triggered
+- * by user gesture, so inverse the logic here
+- */
+-/* instead of this, compare destination uri to mouse-over uri for validating window */
+- if (webkit_navigation_action_is_user_gesture(a))
++ case WEBKIT_NAVIGATION_TYPE_OTHER:
++ if (!webkit_navigation_action_is_user_gesture(a))
+ return NULL;
+ case WEBKIT_NAVIGATION_TYPE_LINK_CLICKED: /* fallthrough */
+ case WEBKIT_NAVIGATION_TYPE_FORM_SUBMITTED: /* fallthrough */
+@@ -1729,7 +1724,13 @@ decidenewwindow(WebKitPolicyDecision *d, Client *c)
+ webkit_navigation_action_get_request(a));
+ newwindow(c, &arg, 0);
+ break;
+- case WEBKIT_NAVIGATION_TYPE_OTHER: /* fallthrough */
++ case WEBKIT_NAVIGATION_TYPE_OTHER:
++ if (webkit_navigation_action_is_user_gesture(a)) {
++ arg.v = webkit_uri_request_get_uri(
++ webkit_navigation_action_get_request(a));
++ newwindow(c, &arg, 0);
++ }
++ break;
+ default:
+ break;
+ }
diff --git a/surf.c b/surf.c
@@ -1293,13 +1293,8 @@ createview(WebKitWebView *v, WebKitNavigationAction *a, Client *c)
Client *n;
switch (webkit_navigation_action_get_navigation_type(a)) {
- case WEBKIT_NAVIGATION_TYPE_OTHER: /* fallthrough */
- /*
- * popup windows of type “other” are almost always triggered
- * by user gesture, so inverse the logic here
- */
-/* instead of this, compare destination uri to mouse-over uri for validating window */
- if (webkit_navigation_action_is_user_gesture(a))
+ case WEBKIT_NAVIGATION_TYPE_OTHER:
+ if (!webkit_navigation_action_is_user_gesture(a))
return NULL;
case WEBKIT_NAVIGATION_TYPE_LINK_CLICKED: /* fallthrough */
case WEBKIT_NAVIGATION_TYPE_FORM_SUBMITTED: /* fallthrough */
@@ -1729,7 +1724,13 @@ decidenewwindow(WebKitPolicyDecision *d, Client *c)
webkit_navigation_action_get_request(a));
newwindow(c, &arg, 0);
break;
- case WEBKIT_NAVIGATION_TYPE_OTHER: /* fallthrough */
+ case WEBKIT_NAVIGATION_TYPE_OTHER:
+ if (webkit_navigation_action_is_user_gesture(a)) {
+ arg.v = webkit_uri_request_get_uri(
+ webkit_navigation_action_get_request(a));
+ newwindow(c, &arg, 0);
+ }
+ break;
default:
break;
}
