* Add React Grab inject button to browser toolbar
Adds a toolbar button (cursor click icon) that injects the react-grab
script (unpkg.com/react-grab/dist/index.global.js) into the current
page. Hover over React elements and Cmd+C to copy component context
(file, component name, line number) for AI agents.
Button highlights when active, resets on navigation.
* Auto-activate selection mode on React Grab inject
First click: injects the script and auto-activates selection mode via
the react-grab:init event. Subsequent clicks toggle selection mode
on/off via window.__REACT_GRAB__.toggle().
* Bridge React Grab state back to Swift via WKScriptMessageHandler
Register a cmux-bridge plugin after injecting react-grab that posts
state changes back to Swift via webkit.messageHandlers. The button
now highlights accent color only when selection mode is actually
active (not just when the script is loaded), and deactivates when
the user exits selection mode via Escape or the react-grab toolbar.
* Fetch react-grab script via URLSession to bypass CSP
Sites like vercel.com block loading external scripts via CSP headers.
Fetch the script with URLSession (not subject to page CSP), cache it,
and inject inline via evaluateJavaScript. Also guard against duplicate
injection on repeated clicks.
* Prefetch react-grab script on first browser panel init
Kick off a low-priority background fetch of the react-grab script
when the first BrowserPanel is created. The script is cached
statically so clicking the button is instant.
* Eliminate react-grab button and callback lag
Three changes:
1. Fire-and-forget: use evaluateJavaScript with completionHandler
instead of await, so button taps return immediately.
2. Single JS payload: combine bootstrap listener + script source
into one evaluateJavaScript call (one IPC round-trip, not two).
3. Dedupe state callbacks: only post webkit message when isActive
actually changes, not on every hover/drag state update.
* Fix duplicate state callback on react-grab toggle
toggleReactGrab was sending an explicit postMessage AND the plugin's
onStateChange hook was firing too, causing two @Published updates per
toggle. Remove the explicit postMessage since the plugin hook handles
it. Also add dlog instrumentation for debugging.
* Add Cmd+Shift+G shortcut for React Grab (configurable)
- Add toggleReactGrab to KeyboardShortcutSettings with Cmd+Shift+G default
- Add View menu item with customizable shortcut
- Add command palette entry (searchable as "react grab" or "inspect element")
- Simplify button to use toggleOrInjectReactGrab, remove local state tracking
* Fix Codex review findings: pin version, verify hash, fix retry and state
1. Pin react-grab to exact version (0.1.29) with SHA-256 integrity
check. Script is verified before evaluation to prevent supply-chain
attacks via compromised CDN responses.
2. Clear prefetchTask on failure so subsequent attempts retry the
download instead of reusing a permanently failed task.
3. Remove premature isReactGrabActive=true. State is now only set
by the onStateChange message handler callback after confirmed
initialization, or explicitly reset on evaluation error.
* Extract React Grab into own file, make version configurable
Move all react-grab logic (settings, script loader, message handler,
BrowserPanel extension) into Sources/Panels/ReactGrab.swift.
Add a "React Grab Version" text field in Settings > Browser that lets
the user pin which npm version is fetched. Only versions with a known
SHA-256 integrity hash in ReactGrabSettings.knownHashes are accepted.
The cache invalidates when the configured version changes.
---------
Co-authored-by: Lawrence Chen <lawrencecchen@users.noreply.github.com>
Port links were reusing the PR-link preference
(openSidebarPullRequestLinksInCmuxBrowser), causing inconsistent
behavior when users toggled that setting. Adds a dedicated
openSidebarPortLinksInCmuxBrowser setting with its own toggle in
Settings so port and PR link behavior can be controlled independently.
Addresses review feedback from https://github.com/manaflow-ai/cmux/pull/1844
Co-authored-by: Lawrence Chen <lawrencecchen@users.noreply.github.com>
* Add regression test for browser back history
* Fix browser back history handoff
* Fix browser tab favicon not updating on navigation
Two issues caused stale or missing favicons in browser tabs:
1. KVO race: The isLoading observer read webView.isLoading inside a deferred
Task instead of capturing the KVO change value at observation time. For fast
navigations (back-forward cache), isLoading flips true→false before the Task
runs, so handleWebViewLoadingChanged(true) was never called and the old
favicon was never cleared.
2. SPA favicon discovery: Sites that inject <link rel="icon"> via JavaScript
(e.g. React apps) had no favicon link in the DOM when didFinish fired. The
fallback to /favicon.ico often 404'd, leaving the globe icon permanently.
Now retries the JS query after 600ms to give client-side scripts time to
add the tag.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
CAPTCHA providers (reCAPTCHA, hCaptcha, Cloudflare Turnstile) detect
environment tampering in their cross-origin iframes. With
forMainFrameOnly: false, the telemetry hooks (overridden console.*)
and address bar focus tracker (__cmux* globals) run inside CAPTCHA
iframes, causing challenges to fail or score the session as a bot.
Change forMainFrameOnly from false to true on:
- telemetryHookBootstrapScriptSource
- addressBarFocusTrackingBootstrapScript
Both only need to run in the top-level page context.
Fixes#1429
* feat: support window.open() popup windows (#742)
Return a live WKWebView from createWebViewWith using WebKit's supplied
configuration, preserving popup browsing-context semantics (window.opener,
postMessage). This fixes OAuth/OIDC flows and any site relying on standard
popup patterns.
- Add BrowserPopupWindowController: NSPanel-based popup with self-retention,
KVO title/URL, read-only URL label, nested popup depth limit (3),
insecure-HTTP prompt parity, auth challenge parity, download delegate
- Classifier: scripted requests (window.open) create popups; user-initiated
actions (Cmd+click, middle-click, context menu) open tabs
- Retarget context menu "Open Link in New Tab" to bypass createWebViewWith,
wired in both main browser and popup web views
- Cmd+W fast path in AppDelegate for popup windows
- Opener panel owns popup lifecycle; close() tears down all child popups
* fix: Cmd+W closes only the popup, not the parent tab
Add BrowserPopupPanel (NSPanel subclass) that intercepts Cmd+W in
performKeyEquivalent before the swizzled cmux_performKeyEquivalent
can dispatch it to the main menu's "Close Tab" action.
Also refine the popup classifier to reuse browserNavigationShouldOpenInNewTab
for Cmd+click/middle-click detection, add download delegate wiring, and
wire onContextMenuOpenLinkInNewTab for popup web views.
* fix: tighten popup routing and window behavior
* test: cover oversized popup frame clamping
* test: cover plain link-activated popup routing
---------
Co-authored-by: Lawrence Chen <lawrencecchen@users.noreply.github.com>
Add Startpage (startpage.com) to the BrowserSearchEngine enum alongside
Google, DuckDuckGo, Bing, and Kagi. Startpage provides an OpenSearch-
compatible suggestions endpoint at /osuggestions, so autosuggestions
work out of the box using the existing OSJSON parser.
Co-authored-by: Zlatko Cajic <git@zlat.co>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
