Skip to content

v0.1.10

Latest

Choose a tag to compare

@SGavrl SGavrl released this 11 Jul 14:48
50e6632

v0.1.10

React/Vue controlled-input automation now works end to end, deeply nested and heavy pages no longer crash or stall, and CDP grew coverage for file uploads and large downloads. 48 commits since v0.1.9.

Highlights

React/Vue controlled inputs fire onChange. Typing over CDP writes the value through the prototype setter so a framework value tracker sees a real change, and event handlers are exposed on document/element so React uses the input-event path (#353). Form-filling agents can now drive real SPAs.
Deep and heavy pages are safe. The DOM serialize / textContent / import walks and the --dump text extractor are iterative, so a deeply nested page no longer overflows the stack and aborts the process (#367, #368). Heavy SPAs get a larger script budget so they finish booting (#371), and Vite dev / React Refresh apps mount instead of leaving #root empty (#380).
CDP uploads and streaming. DOM.setFileInputFiles implements Puppeteer uploadFile() / Playwright setInputFiles() and fires trusted input/change events (#369, #385). Fetch.takeResponseBodyAsStream + IO.read/IO.close stream large downloads in bounded chunks from a capped store, so they never sit in memory or leak (#381, #387).

New features and Web APIs

DOM.setFileInputFiles for file uploads; trusted input/change events (#369, #385).
Fetch.takeResponseBodyAsStream + IO.read / IO.close, backed by a bounded stream store (capped entries and bytes, oldest-first eviction) (#381, #387).
fetch --file <urls> --concurrency N for batch raw-resource checks (#352).
• WebCrypto SubtleCrypto secret-key algorithms: HMAC, AES-GCM/CBC/CTR, PBKDF2, HKDF, plus crypto.getRandomValues / randomUUID (#344).
fetch() bodies: Blob, ArrayBuffer, and TypedArray serialization (#329).
in / Object.keys work on el.style and el.dataset; cssText serializes dashed names (#357).
:has() selectors (#331); SVGAnimatedString for SVG className / href (#330).

Fixes

new Image() is a real HTMLImageElement with a working .style (#350).
Page.navigateToHistoryEntry (goBack / goForward) is no longer misrouted as a navigation (#372).
Fetch.continueRequest applies url / method / header / body overrides (#373).
• Cookie Path matching respects the RFC 6265 5.1.4 / boundary, so a /admin cookie is not sent to /administrator (#383).
• An uncaught error in one inline script no longer stops later scripts (#358).
• Main-resource response body and real MIME exposed to CDP on navigation (#340).
• DOMSnapshot walk and comment serialization made iterative / hardened.
• Checkbox / radio default to "on"; childNodes is a real NodeList.
• Multi-worker load balancer binds to --host for Docker (#336).

Security

serve --workers passes the proxy via the OBSCURA_PROXY environment variable instead of a --proxy argv flag, so credentials are not visible in ps or /proc/<pid>/cmdline (#370).
Set-Cookie Domain validated against the request origin.

Stealth and anti-fingerprinting

• Internal engine globals are hidden from Object.getOwnPropertyNames / Reflect.ownKeys, and JS-backed DOM accessors and constructors report as native, clearing pixelscan's unusualWindowProperties / tamperedFunctions (#377).

Docs

• Integrations section linking the Hermes agent plugin (#354).

Contributors

Thanks to @mnaza, @seffignoz, and @CrazyboyQCD for contributions this release.

Full Changelog: v0.1.9...v0.1.10