patillacode/dropit
patillacode/dropit
1
0
Fork 0
Code Issues Pull requests Projects Releases 7 Packages 1 Wiki Activity Actions
7 releases 9 tags
  • v0.0.8 f9fdfc5822

    v0.0.8
    All checks were successful
    Release / test (push) Successful in 22s
    Details
    Release / build (push) Successful in 2m14s
    Details
    Stable

    patillacode released this 2026-05-28 19:07:57 +02:00 | 11 commits to main since this release

    v0.0.8

    ⚠️ Breaking Change: existing shared links will stop working

    Pages are now served from per-page subdomains ({page_id}.{CONTENT_DOMAIN}) instead of the old /p/{page_id} path. That route is gone and there's no redirect, so any links shared before this release will 404. You'll need to re-upload and re-share them.

    Why the change: serving user-supplied HTML on the same origin as the app lets a malicious page steal localStorage tokens. Putting each page on its own subdomain cuts that off entirely.

    What's New

    Per-page subdomain serving (origin isolation)

    Each uploaded page now lives at {page_id}.{CONTENT_DOMAIN}. Security headers are applied to app routes (CSP, X-Frame-Options, etc.) and content pages get noindex and no-store too. Uvicorn now runs with --proxy-headers so the host resolves correctly behind a reverse proxy.

    Auto-upload drop zone

    The upload UI was fully rebuilt. Drop a file or pick one from the browser and it uploads straight away, no separate button needed. The zone moves through a few states:

    • idle: waiting for a file
    • uploading: shows a progress indicator
    • success: shows the URL with click-to-copy and an "Upload another" button to reset
    • error: shows an inline message with a click-to-retry hint

    The old result and error panels below the zone are gone.

    Cleanup scheduler card in admin UI

    The admin panel now has a cleanup scheduler section. It shows the last run time, how many pages were deleted, what triggered it (scheduled or manual), when the next run is, and a collapsible history table. There's also a "Run now" button if you want to trigger it manually.

    Custom 404 page

    Unknown routes now return a proper styled HTML 404 page instead of a raw JSON error.

    Bug Fixes

    Mixed-case page IDs now resolve correctly

    Older page IDs were generated with token_urlsafe, which can include uppercase letters (like sRysndGq). Browsers lowercase hostnames before sending them, so the subdomain would arrive as srysndgq and the case-sensitive DB lookup would miss it. The lookup now lowercases both sides and resolves the file path from the stored ID, so old pages with uppercase IDs still work fine.

    Refactoring

    Inline <style> and <script> blocks in index.html, admin.html, and error.html were moved out into separate files under app/static/css/ and app/static/js/.

    Downloads