[bug report] deleting 'index.html' can cause private project contents to publish publicly

steps:

  1. create a new ‘hello-webpage’ project with glitch
  2. make it private
  3. delete index.html

expected:
my source code is still private; nothing about the interface indicated to me that deleting index.html would cause the rest of my files to become publicly visible

actual:
Deleting index.html has caused the site to render as a folder structure, which is now exposing my source code.

demo:
see https://private-project-or-is.glitch.me/ , which is private, but ‘sekrits.md’ is visible to all

Hey @jude,
I think that it is not a bug, but a feature unexpected thing thar Glitch does. (for instance, it could response a static "No Files" page which says, that a project doesn’t have any .html files/responses for ‘/’)

Hey @jude this is a really good catch; thanks for the note! It’s totally understandable that this behavior would be unexpected in the context of a private project.

I’ll take this to the rest of the team to see if we can solve this in a better, less-surprizing way!

3 Likes

This is something called an indexing page, it lists out the www directory. This happens when using hello-webpage. I don’t know what the container is running, but it sorta reminds me of running an Apache server. If you don’t have a default entry (index page) it’ll show you the directory listing page.

Its normal behaviour for serving static files … index.html replaces the file listing. Which files are served is unchanged.

For example, even with index.html, if someone typed in https://private-project-or-is.glitch.me/sekrits.md it would still be served.

There are configuration options for which files are served vs excluded, but its a little tricky to apply the options; its easier to use a node express server instead.