fix(vk): route the Wallet public-offer link out of the Mini App WebView #281

Merged
developer merged 1 commits from feature/vk-offer-link-escape into development 2026-07-17 18:27:06 +00:00
Owner

The "Public offer" link in the Wallet (Wallet.svelte) pointed at the same-origin static /offer/ page with a plain target=_blank anchor and no click handler. The Android VK client ignores target=_blank and navigates its own WebView to the page, stranding the player with no way back to the game. iOS opens a child browser, so it was unaffected — matching the report.

The existing onExternalLinkClick router could not help: it escapes only cross-origin links (isExternalHttpUrl gate), and /offer/ is same-origin — a static legal page, not an SPA route.

Fix: add onInAppPageLinkClick, which routes a same-origin, non-SPA page out through the host escape hatch (Telegram openLink, VK away.php) while deliberately bypassing the cross-origin gate, and attach it to the offer link. Outside a Mini App host it is a no-op and the anchor own target=_blank stands. On VK Android the offer now opens in the system browser — the same path the working "Look up in dictionary" link already uses.

Audit of the other reported link points — both already correct, unchanged:

  • "Rules" (Info / About) → Wikipedia, cross-origin + handler → routes fine.
  • Ad-banner links → delegated onExternalLinkClick on the container + external URLs → route fine.

Tests: 3 regression cases in links.test.ts (VK Android → away.php + preventDefault; Telegram → openLink; plain host → no-op). Local ui gate green: vitest 649 passed, svelte-check 0 errors, vite build ok.

Caveat: no live VK-host e2e harness — unit tests cover the routing logic; the real on-device "opens and returns" is verified on the contour.

The **"Public offer"** link in the Wallet (`Wallet.svelte`) pointed at the same-origin static `/offer/` page with a plain `target=_blank` anchor and **no click handler**. The Android VK client ignores `target=_blank` and navigates its own WebView to the page, stranding the player with no way back to the game. iOS opens a child browser, so it was unaffected — matching the report. The existing `onExternalLinkClick` router could not help: it escapes only **cross-origin** links (`isExternalHttpUrl` gate), and `/offer/` is same-origin — a static legal page, not an SPA route. **Fix:** add `onInAppPageLinkClick`, which routes a same-origin, non-SPA page out through the host escape hatch (Telegram `openLink`, VK `away.php`) while deliberately bypassing the cross-origin gate, and attach it to the offer link. Outside a Mini App host it is a no-op and the anchor own `target=_blank` stands. On VK Android the offer now opens in the system browser — the same path the working "Look up in dictionary" link already uses. **Audit of the other reported link points — both already correct, unchanged:** - "Rules" (Info / About) → Wikipedia, cross-origin + handler → routes fine. - Ad-banner links → delegated `onExternalLinkClick` on the container + external URLs → route fine. **Tests:** 3 regression cases in `links.test.ts` (VK Android → away.php + preventDefault; Telegram → openLink; plain host → no-op). Local `ui` gate green: vitest 649 passed, svelte-check 0 errors, vite build ok. **Caveat:** no live VK-host e2e harness — unit tests cover the routing logic; the real on-device "opens and returns" is verified on the contour.
developer added 1 commit 2026-07-17 18:20:39 +00:00
fix(vk): route the Wallet public-offer link out of the Mini App WebView
CI / changes (pull_request) Successful in 3s
CI / unit (pull_request) Has been skipped
CI / integration (pull_request) Has been skipped
CI / ui (pull_request) Successful in 1m15s
CI / conformance (pull_request) Successful in 12s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m56s
584384487c
The "Public offer" link in the Wallet pointed at the same-origin static
/offer/ page with a plain target=_blank anchor and no click handler. The
Android VK client ignores target=_blank and navigates its own WebView to
the page, stranding the player with no way back to the game (iOS opens a
child browser, so it was unaffected). The existing onExternalLinkClick
router could not help: it escapes only cross-origin links, and /offer/ is
same-origin (a static legal page, not an SPA route).

Add onInAppPageLinkClick, which routes a same-origin, non-SPA page out
through the host escape hatch (Telegram openLink, VK away.php) while
bypassing the cross-origin gate, and attach it to the offer link. Outside
a Mini App host it is a no-op and the anchor's own target=_blank stands.

The "Rules" (About) and ad-banner links already route correctly
(cross-origin + a handler) and are left unchanged.
owner approved these changes 2026-07-17 18:22:20 +00:00
developer merged commit 9eacb9b115 into development 2026-07-17 18:27:06 +00:00
developer deleted branch feature/vk-offer-link-escape 2026-07-17 18:27:06 +00:00
Sign in to join this conversation.
No Reviewers
No Label
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: developer/scrabble-game#281