[Bug]: Metamask prevents TrueNAS from logging into Google Drive

[interfect]

Describe the bug

The TrueNAS NAS software has an authentication flow in its web UI where you:

1. Click a button on http://some.local.ip/ and it opens a truenas.com popup browser window.
2. Go through a Google Drive authentication flow in that window.
3. Have the obtained tokens populate in the form in the original http://some.local.ip/ window

I have no idea how this is accomplished, but Metamask's lockdown-install.js interferes with it. With the extension enabled, the flow doesn't work. When I disable the extension and do the exact same thing, it works.

Steps to reproduce

1. Have a TrueNAS NAS
2. Log into its web UI
3. Go to System -> Cloud Credentials in the menu on the left
4. Click the Adfd button on the upper right
5. Set Provider to Google Drive
6. Hit the Login to Provider button
7. Go through the authentication flow in the popup to authorize TrueNAS to a Google account.
8. Credentials should populate in the form when the popup closes, but they won't.

Error messages or log output

In the truenas.com popup, immediately when it opens, I get this log:

This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”.
google_drive
Cookie “session” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite google_drive
Removing intrinsics.Array.fromAsync lockdown-install.js:1:133618
Removing intrinsics.%ArrayPrototype%.toReversed lockdown-install.js:1:133618
Removing intrinsics.%ArrayPrototype%.toSorted lockdown-install.js:1:133618
Removing intrinsics.%ArrayPrototype%.toSpliced lockdown-install.js:1:133618
Removing intrinsics.%ArrayPrototype%.with lockdown-install.js:1:133618
Removing intrinsics.%ArrayPrototype%.@@unscopables.toReversed lockdown-install.js:1:133618
Removing intrinsics.%ArrayPrototype%.@@unscopables.toSorted lockdown-install.js:1:133618
Removing intrinsics.%ArrayPrototype%.@@unscopables.toSpliced lockdown-install.js:1:133618
Removing intrinsics.%TypedArrayPrototype%.toReversed lockdown-install.js:1:133618
Removing intrinsics.%TypedArrayPrototype%.toSorted lockdown-install.js:1:133618
Removing intrinsics.%TypedArrayPrototype%.with lockdown-install.js:1:133618
DOMException: Permission denied to access property "toString" on cross-origin object
    <anonymous> https://www.truenas.com//oauth/google_drive?origin=http://XXXXXCENSOREDXXXXX/ui/system/cloudcredentials/add:20
lockdown-install.js:1:103865

I can't get a log of what happens when the popup closes.

With Metamask off I instead get this log when the popup opens:

This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”.
google_drive
Uncaught DOMException: Permission denied to access property "toString" on cross-origin object
    <anonymous> https://www.truenas.com//oauth/google_drive?origin=http://XXXXXCENSOREDXXXXX/ui/system/cloudcredentials/add:20
google_drive:20
Cookie “session” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite google_drive

### Version

10.31.1

### Build type

None

### Browser

Firefox

### Operating system

Linux

### Hardware wallet

_No response_

### Additional context

It looks like the page that starts the login flow has code like this:

    var origin = "http://XXXXXCENSOREDXXXXX/ui/system/cloudcredentials/add";
    if (!window.opener || !window.opener.location.toString().startswith(origin))
    {
        document.body.innerHTML = "This page can only be opened by FreeNAS system at <b>" + escapeHTML(origin) + "</b>";
    }

Whether Metamask is on or off, it doesn't seem to actually be allowed to stringify `window.opener`, but with Metamask off the tokens get to the NAS web UI properly.

[anaamolnar]

Hello, @interfect. Thanks for reporting! Please let me know if you still experience the issue in the latest version. Thank you!

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity in the last 90 days. It will be closed in 45 days if there is no further activity. The MetaMask team intends on reviewing this issue before close, and removing the stale label if it is still a bug. We welcome new comments on this issue. We do not intend on closing issues if they report bugs that are still reproducible. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity in the last 90 days. It will be closed in 45 days if there is no further activity. The MetaMask team intends on reviewing this issue before close, and removing the stale label if it is still a bug. We welcome new comments on this issue. We do not intend on closing issues if they report bugs that are still reproducible. Thank you for your contributions.

[github-actions[bot]]

This issue was closed because there has been no follow up activity in the last 45 days. If you feel this was closed in error, please reopen and provide evidence on the latest release of the extension. Thank you for your contributions.