Husk v0.1.3 — Real popup windows + Firebase Auth fix
Big OAuth-flow release. Three connected fixes that together make "Sign in with X" feel right: popups behave like popups, vault stops hijacking the sidebar, and Firebase / postMessage-based auth actually delivers the token back to the parent page.
Downloads
| File | Size | SHA-256 |
|---|---|---|
Husk-Portable-0.1.3.zip |
1.8 MB | f2ff59527e958cacf7cad6c16f5467befdc695d9d8a273ab73733a5aefdd295d |
husk.exe (raw, for inspection) |
4.0 MB | b496c017c3b2fd2be4a87d37202b3ae9f5a65c53f3da107ef7a6315d1d84f69b |
Verify before running
Get-FileHash .\Husk-Portable-0.1.3.zip -Algorithm SHA256Match the output against the hash above. If it differs — do not run.
What's new
OAuth popups open as real popup windows
"Sign in with Google / Microsoft / GitHub / Apple" used to land in a new TAB inside the current window. The login form was there, the auth completed, the tab closed (since v0.1.1) — but the visual experience was wrong: an OAuth flow is supposed to feel like a transient dialog, not "your browser is now hosting two tabs."
v0.1.3 routes window.open(url, _, "width=X,height=Y,...") — the universal popup pattern — to a new Husk window sized to the requested dimensions (with a sane 320×240 minimum), inheriting the parent tab's mode (Normal / Private / Paranoia). When the auth flow calls window.close(), the whole popup window disappears and you're back on the parent page.
Implementation: native add_NewWindowRequested hook reads WindowFeatures.HasSize / HasPosition. With a hint, popup window. Without, fall through to the v0.1.0 behaviour (new tab). Middle-click and target="_blank" on regular links still open as tabs.
Firebase Auth + postMessage-based OAuth now work
The headline fix. Earlier Husk versions would open the OAuth popup, let the user authenticate, then close the popup — but the parent site wouldn't actually log in. The cause: the popup and the parent were two separate WebView2 instances with no window.opener relationship between them, so the popup's window.opener.postMessage(token) call (the standard Firebase Auth delivery mechanism, used by tens of thousands of SaaS sites) sent its token into the void.
v0.1.3 fixes this by using WebView2's deferral pattern around NewWindowRequested: we take a deferral, build the Husk-side popup WebView, then hand WebView2 our controller via args.put_NewWindow(...) and complete the deferral. WebView2 then navigates our controller to the popup URL with window.opener correctly wired to the parent. postMessage works the way the page expects, the token arrives, the parent logs in.
Tested against Firebase Auth (e.g. promptbase.com), Google direct OAuth, GitHub OAuth, Microsoft OAuth.
Vault save prompt no longer auto-opens the sidebar
When you submitted a login form, Husk would offer to save the credentials to your vault. In v0.1.1 this was an in-place toast at the top of the chrome IF the vault was already unlocked — but if the vault was locked (or you hadn't set one up yet), the sidebar would automatically expand to show the unlock prompt. On a banking, mail, or work-tool login that you didn't want to save, the sidebar expansion felt like Husk was reaching into a private surface uninvited.
v0.1.3 keeps the offer as a thin horizontal toast in all states. The toast wording adapts ("Save", "Vault is locked — Open vault", "Set up your Husk vault to save this"). The sidebar opens only if you explicitly click "Save" or "Open vault" on the toast — or if it was already open at the time of the form submit.
OAuth credentials are never offered for save
Related: credentials entered into an OAuth popup window are not offered for save in your vault at all. The credential belongs to Google / Microsoft / etc., not the parent site, so saving it would be confusing at best and dangerous at worst.
Everything else
Unchanged from v0.1.1 — same Argon2id + ChaCha20-Poly1305 vault, same DoH proxy, same anti-fingerprint stack, same boss key, same crypto source at husk-crypto.
Upgrade path
Drop the new husk.exe into your existing portable folder, replacing the old one. Your HuskData/ directory stays untouched.
Known limitations carried over
- Taskbar pin AUMID identity is still consolidated by Windows Shell in development setups where multiple
husk.exebinaries live on the same machine. Affects users running both a dev tree and the portable release — i.e. nobody who only downloaded the public binary. Investigation continues. - macOS + Linux still v0.2 targets.
Coming next
- Chromeless OAuth popup option (currently popups carry the full Husk chrome — fine for security, but mainstream browsers go minimal)
- Mac and Linux work begins after this patch ships
- A
--profile=<name>argument for users who want a non-default startup profile from a desktop shortcut
If Husk is useful to you, support keeps it free, ad-free and account-free: husk.run/donate.