enable code sandboxing

dist/article/article.html

@@ -3,13 +3,13 @@
 <head>
     <meta charset="UTF-8">
     <meta http-equiv="Content-Security-Policy"
-        content="default-src 'none'; script-src-elem 'sha256-Y47O8EyR7IULmMXvvGsrM43xajwkPmTKvC8AhLDvg/o='; img-src http://* https://*; style-src 'self' 'unsafe-inline'; frame-src http://* https://*; media-src http://* https://*">
+        content="default-src 'none'; script-src-elem 'sha256-HLvh6tC4kZKt81b6Yi9wjdyXvuwO6InxwRG96ZZjHrw='; img-src http://* https://*; style-src 'self' 'unsafe-inline'; frame-src http://* https://*; media-src http://* https://*">
     <title>Article</title>
     <link rel="stylesheet" href="article.css" />
 </head>
 <body>
     <div id="main"></div>
-    <script integrity="sha256-Y47O8EyR7IULmMXvvGsrM43xajwkPmTKvC8AhLDvg/o=" src="article.js"></script>
+    <script integrity="sha256-HLvh6tC4kZKt81b6Yi9wjdyXvuwO6InxwRG96ZZjHrw=" src="article.js"></script>
     <!-- Run "cat article.js | openssl dgst -sha256 -binary | openssl enc -base64 -A" for hash -->
 </body>
 </html>

dist/article/article.js

@@ -3,7 +3,7 @@ function get(name) {
         return decodeURIComponent(name[1]);
 }
 document.documentElement.style.fontSize = get("s") + "px"
-let html = decodeURIComponent(window.atob(get("h")))
+let html = get("h")
 let domParser = new DOMParser()
 let dom = domParser.parseFromString(html, "text/html")
 let baseEl = dom.createElement('base')

src/components/article.tsx

@@ -180,11 +180,11 @@ class Article extends React.Component<ArticleProps, ArticleState> {
         }
     }
 
-    articleView = () => "article/article.html?h=" + window.btoa(encodeURIComponent(renderToString(<>
+    articleView = () => "article/article.html?h=" + encodeURIComponent(renderToString(<>
         <p className="title">{this.props.item.title}</p>
         <p className="date">{this.props.item.date.toLocaleString(this.props.locale, {hour12: !this.props.locale.startsWith("zh")})}</p>
         <article dangerouslySetInnerHTML={{__html: this.props.item.content}}></article>
-    </>))) + `&s=${this.state.fontSize}&u=${this.props.item.link}`
+    </>)) + `&s=${this.state.fontSize}&u=${this.props.item.link}`
     
     render = () => (
         <FocusZone className="article">

src/main/window.ts

@@ -57,6 +57,7 @@ export class WindowManager {
                 fullscreenable: false,
                 show: false,
                 webPreferences: {
+                    sandbox: true,
                     webviewTag: true,
                     enableRemoteModule: false,
                     contextIsolation: true,

src/scripts/models/item.ts

@@ -177,7 +177,7 @@ export function fetchItems(background = false): AppThunk<Promise<void>> {
         let promises = new Array<Promise<RSSItem[]>>()
         const initState = getState()
         if (!initState.app.fetchingItems && !initState.app.syncing) {
-            await dispatch(syncWithService())
+            await dispatch(syncWithService(background))
             let timenow = new Date().getTime()
             let sources = <RSSSource[]>Object.values(getState().sources).filter(s => {
                 let last = s.lastFetched ? s.lastFetched.getTime() : 0