Wow the people in this thread are a huge bummer. This is much cooler and I doubt this is a real safety issue. You can already sign up for a free cloudflare account and deploy it for free, on your own, on a free workers.dev domain. The friction removal here isn't going to meaningfully change the security / amount of malicious content.
Well according to the people in this thread it was previously impossible for bad actors to host a website, and CloudFlare has now given them this unique ability.
I really hope/imagine this project specifically has a LLM of some kind doing real-time analysis on the uploaded files for malware from the get-go. How good that is could be is anyone's guess (and chances are there would be blind spots / evasion techniques).
I thought it was a reference to the Mac OS X `~/Public/Drop Box` directory, which was a write-only place for people to send files to your user, which has been around since the first OS X beta came out in 2000.
Cloudflare is obviously more trustworthy/robust here, but if name of the url matters to you, my site non.io [1] allows for named uploads, ie https://news.ycombinator.com/item?id=36296695
[2] This was a demo of the output of a design tool I'm working on, only the home/accommodations/about pages work.
There must be some really good protection on this. If I enabled such a thing on any of my servers it would be full of warez, porn, malware, CSAM and who knows what else within minutes. Curious how they manage to keep it clean.
I've never used CF so I could be ignorant in this matter. I assumed perhaps incorrectly that people had to verify their email address and delegate their domain(s) to CF including setting the glue records in the TLD servers meaning there is possibly a financial trail somewhere probably in the DNS registrars and perhaps a mail provider, whereas this is just drag-and-drop with no money trail.
I have no idea what guardrails they have in place in the background that blocks malware, CSAM, warez and such on their free accounts.
It's minesweeper, but the logic uses xstate/store. The link in the bottom is broken; it's supposed to go to `building-minesweeper-with-xstate-store.html`
I have no need for this but I love that my friends could vibe out a website, drop it here, claim it, and host it for pennies. This is great.
"Your site is reachable within ~32ms of 95% of the world’s Internet-connected population" isn't new but it's cool to see that achieved so trivially.
Isn't there already thousands of ways for exfiltrating data that must be whitelisted by corporate firewalls? office365/gsuite, for instance. Not to mention the classics like dns.
Your code appears to have a bug where if the arrow keys trigger a change of direction twice in a single frame interval, it can mistakenly send the snake back on itself.
I have been hosting static websites with cloudflare for years and finding how to do it on the UI is getting harder as they add more things and reoranize.
Wait, my first impression was that it points a local browser to your local browser. Now it looks like it uploads your folder to Cloudflare and temporarily serves it over the web. But is that different from what we used to do with FTP? Are there any databases or anything like basic PHP hosts supply? It's just static sites?
Is this a product or what? What's the purpose? Is there an API?
A minute ago I had an HTML doc I wanted to share with a PM. It was a Claude prepared demo of a hypothetical feature. Lots of screenshots.
I ended up just embedding them directly in the HTML as base64 and sending him a 15mb file, but hypothetically this would have been a nice solution instead.
Absolutely agree. There's an insane "feature" of Claude Design which means you can only share the link to the design with other users on your account?! You can export the design, though, but then you need somewhere to quickly drop a bunch of HTML + assets. This would be perfect for that.
There are also solutions for sharing your homelab with others (basically tunneling from your machine->server (internet accessible) <-> client. Though, if your machine would go to sleep that whole chain would fall apart. A few good automatic solutions out there that solve the problem (no "just replace dropbox with ftp" type of argument).
However, I see the appeal of this. Kind of surprised it hasn't happened yet to be honest.
Replit is used a lot in this context. Their agent is good, but their circumvent-policies-to-get-something-in-front-of-execs-quickly is an amazing and mis-priced feature.
You could just upload to a personal or other website? I sometimes do that. Is there any security or privacy (e.g. password protection) for this Cloudflare Drop site?
This is pretty cool, thanks for sharing.
It really enables less tech savvy users. It would really enable frontpage/dreamworks-like flows for some people
Hah! This is exactly how I’m serving the vestigial remnant of my blogging in the early 2000s from a ZIP-backed Cloudflare Worker today. Should I rebuild my site with Drop+Claim or is it fine as-is? I kind of feel like ‘if what I have works, don’t change it’ is the best path.
I tried uploading a git repository that I have previously successfully published on Github pages. This is a "no build" website I have built with the help of Claude. It should just work but I keep getting an error. Who can I reach out to give them steps to reproduce? The website repository is public and I feel like anyone at Cloudflare who wants to reproduce my problem can quite literally clone my repo and upload it to cloudflare drop.
Please drop your cloudflare email address and I will reach out to you with my repository information.
Or you could do some of your own troubleshooting? Uploading a git repo is different than uploading a zipped/folder, especially if your index.htm/l isn't at the root.
It would be nice if we could see some information such as file size limitations, demos, link structure, management, etc. Am I expected to upload a random HTML file and see how it works?
Yeah I'm very lost on what this is supposed to do -- "Summon your site" is quite vague. "see it live", like a demo? or is this actually published somewhere? Is it forever?
Desktop mode doesn't show any more information either
It could be fun to use a temporary Mediafire/Rapidshare/Megaupload service. Especially if you need to transfer something between an Android and an iPhone.
Dropped a folder with a small HTML project, and after 20 seconds got "Something went wrong. An unexpected error occurred. Please try again or contact support.".
Note how the error has zero information.
Looking in the network tab, a POST request to /upload returned 403 and an HTML page starting with "Sorry, you have been blocked", and to "email the site owner to let them know you were blocked".
I'm very tired of this adversarial approach to software coupled with vague errors.
EDIT: it was the file './git/hooks/fsmonitor-watchman.sample' created by default on git init. Maybe because it's Perl. Worse-than-useless "please try again" and "you've been blocked" for committing the sin of uploading a folder that's a git repository. Sigh...
Cloudflare is really good at launching features that facility low-friction deployment of malicious content (such as phishing) on the Internet, piggybacking on their hosting reputation and the fact that you can't easily block their ASN or domains.
I don't know your experience. Once I was toying around and doing a basic auth with registration and so. The weekend was over and couldn't get back to that couple of months. The worker was quarantined and marked as phishing automatically. So I believe they have something in place to prevent those you complain.
Wow the people in this thread are a huge bummer. This is much cooler and I doubt this is a real safety issue. You can already sign up for a free cloudflare account and deploy it for free, on your own, on a free workers.dev domain. The friction removal here isn't going to meaningfully change the security / amount of malicious content.
Well according to the people in this thread it was previously impossible for bad actors to host a website, and CloudFlare has now given them this unique ability.
I really hope/imagine this project specifically has a LLM of some kind doing real-time analysis on the uploaded files for malware from the get-go. How good that is could be is anyone's guess (and chances are there would be blind spots / evasion techniques).
Agreed I think this is pretty solid especially since you get all the Cloudflare benefits like CDN from the get-go.
hn has turned into a reddit hate fest. It's getting hard to read non stop negativity and hate. I'm happy to see your positive comment.
You must be new here :)
2 replies →
wait till anyone remotely mentions apple or apple products. the neckbeards on their thinkpads will come in droves to shit on cupertino's best.
Netlify made this 10 years ago... they even copied the name! https://app.netlify.com/drop
And BitBalloon before that (which Netlify acquired) http://web.archive.org/web/20131028083240/https://www.bitbal...
Loved this app. What is old is new again.
There are numerous products like this out there. Isn’t that where Dropbox got its name in the first place?
I thought it was a reference to the Mac OS X `~/Public/Drop Box` directory, which was a write-only place for people to send files to your user, which has been around since the first OS X beta came out in 2000.
1 reply →
I was always under the impression that that was referencing the notion from spycraft.
Don't forget Digital Ocean Droplets.
1 reply →
Low barrier services don't care who's first in this epoch.
Its not exactly a very elaborate name.
My... Aviato?
But this time it's with ~blockchain~ AI!
ouch... I get that it's a simple concept but darn it really does seem like ctrl c ctrl v lmao
Cloudflare is obviously more trustworthy/robust here, but if name of the url matters to you, my site non.io [1] allows for named uploads, ie https://news.ycombinator.com/item?id=36296695
[2] This was a demo of the output of a design tool I'm working on, only the home/accommodations/about pages work.
There must be some really good protection on this. If I enabled such a thing on any of my servers it would be full of warez, porn, malware, CSAM and who knows what else within minutes. Curious how they manage to keep it clean.
Only live for an hour.
But that won't stop people doing bad stuff for an hour I guess. Vibe code up some on-demand thing that you ping...
One hour is great for spearphishing attacks, once the victim has been infected their IT department will have no trace of the source.
They already allow hosting static websites so I think the same guardrails are implemented.
I've never used CF so I could be ignorant in this matter. I assumed perhaps incorrectly that people had to verify their email address and delegate their domain(s) to CF including setting the glue records in the TLD servers meaning there is possibly a financial trail somewhere probably in the DNS registrars and perhaps a mail provider, whereas this is just drag-and-drop with no money trail.
I have no idea what guardrails they have in place in the background that blocks malware, CSAM, warez and such on their free accounts.
1 reply →
Yeah, I was going to start a file drop site like 0x until realizing what it'd be used for
Cool, it worked!
https://drop-1e1a536f-10d.honeysuckle-gull.workers.dev/
It's minesweeper, but the logic uses xstate/store. The link in the bottom is broken; it's supposed to go to `building-minesweeper-with-xstate-store.html`
I have no need for this but I love that my friends could vibe out a website, drop it here, claim it, and host it for pennies. This is great.
"Your site is reachable within ~32ms of 95% of the world’s Internet-connected population" isn't new but it's cool to see that achieved so trivially.
It is cool to see not sure why you would use it.
Also it seems to me that this is a good way to exfiltrate data, rubber stamped by cloudflare themselves.
Isn't there already thousands of ways for exfiltrating data that must be whitelisted by corporate firewalls? office365/gsuite, for instance. Not to mention the classics like dns.
Hmm, that's fun and useful. Here is snake game for 60 minutes.
https://drop-e7e6d363-601.important-seat.workers.dev
$ curl -I https://drop-e7e6d363-601.important-seat.workers.dev/ curl: (7) Failed to connect to drop-e7e6d363-601.important-seat.workers.dev port 443 after 47 ms: Couldn't connect to server
Tried from two hosts, different countries.
Your code appears to have a bug where if the arrow keys trigger a change of direction twice in a single frame interval, it can mistakenly send the snake back on itself.
What an honor. I got a high score of seven.
Reminds me of web development in the 1990s.
I honestly miss those days of deployment simplicity.
FTPing files to `~/public_html` was the best... Miss those days.
It still works...
1 reply →
I can see this interface is for vibe coders haha
I have been hosting static websites with cloudflare for years and finding how to do it on the UI is getting harder as they add more things and reoranize.
Makes sense. It plays nicely with the vibe code kids who don’t know how to do GitHub or don’t know to ask their LLM about it.
Wait, my first impression was that it points a local browser to your local browser. Now it looks like it uploads your folder to Cloudflare and temporarily serves it over the web. But is that different from what we used to do with FTP? Are there any databases or anything like basic PHP hosts supply? It's just static sites?
Is this a product or what? What's the purpose? Is there an API?
A minute ago I had an HTML doc I wanted to share with a PM. It was a Claude prepared demo of a hypothetical feature. Lots of screenshots.
I ended up just embedding them directly in the HTML as base64 and sending him a 15mb file, but hypothetically this would have been a nice solution instead.
Absolutely agree. There's an insane "feature" of Claude Design which means you can only share the link to the design with other users on your account?! You can export the design, though, but then you need somewhere to quickly drop a bunch of HTML + assets. This would be perfect for that.
2 replies →
There are also solutions for sharing your homelab with others (basically tunneling from your machine->server (internet accessible) <-> client. Though, if your machine would go to sleep that whole chain would fall apart. A few good automatic solutions out there that solve the problem (no "just replace dropbox with ftp" type of argument).
However, I see the appeal of this. Kind of surprised it hasn't happened yet to be honest.
I built a tool _just the other day_ for this exact purpose. Now my agents proactively make disposable links for me: https://jlnk.us
Replit is used a lot in this context. Their agent is good, but their circumvent-policies-to-get-something-in-front-of-execs-quickly is an amazing and mis-priced feature.
You could just upload to a personal or other website? I sometimes do that. Is there any security or privacy (e.g. password protection) for this Cloudflare Drop site?
Check out Tailscale - they have TUNS + share the source files with someone else in tailnet.
This is pretty cool, thanks for sharing. It really enables less tech savvy users. It would really enable frontpage/dreamworks-like flows for some people
Tried uploading a ZIP and got:
"Something went wrong An unexpected error occurred. Please try again or contact support."
When contacting support:
"Please upload a screenshot of the error by dragging a zip of the png file."
>Something went wrong An unexpected error occurred. Please try again or contact support.
I have a few qualms with this app.
Hah! This is exactly how I’m serving the vestigial remnant of my blogging in the early 2000s from a ZIP-backed Cloudflare Worker today. Should I rebuild my site with Drop+Claim or is it fine as-is? I kind of feel like ‘if what I have works, don’t change it’ is the best path.
This is cool and I like it.
Desktop operating systems should be able to run zipped web apps the way Electron apps run today. It ought to just be part of the OS.
And if there's a form or something with a backend? Just break?
I remember doing this in 2006. FTP. Good times.
I remember making a Qt app for a friend that would upload dropped files via ftp and copy the link to the clipboard. Good old days!
Congratulations on launching!
I tried uploading a git repository that I have previously successfully published on Github pages. This is a "no build" website I have built with the help of Claude. It should just work but I keep getting an error. Who can I reach out to give them steps to reproduce? The website repository is public and I feel like anyone at Cloudflare who wants to reproduce my problem can quite literally clone my repo and upload it to cloudflare drop.
Please drop your cloudflare email address and I will reach out to you with my repository information.
Hey stranger, welcome to 2026. It’s somewhat different to what you’re used to in 2035. We do things differently here.
Or you could do some of your own troubleshooting? Uploading a git repo is different than uploading a zipped/folder, especially if your index.htm/l isn't at the root.
Thank you for the reply. Index dot html is already at the root of the folder and it deploys just fine on GitHub pages.
Yet I can't drag and drop a plain old HTML file without putting it in a folder or a ZIP file first.
You can, the file just has to be named "index.html".
> No account needed. Deployment is active for 60 minutes, then expires unless you claim it.
(https://x.com/BraydenWilmoth/status/2074894829616509358)
Same deal as their Cloudflare Workers previews from a few weeks ago: https://blog.cloudflare.com/temporary-accounts/
Cool, just 20 years too late.
Extension of the temporary accounts they needed to enable for Agents https://blog.cloudflare.com/temporary-accounts/
Cloudflare folks: Please consider supporting WARC archives for deployment.
Is that something you use often?
When I want to serve an archived website in read only mode, yes.
https://github.com/SpeedcubeDE/speedcube.de-forum-archive is an example use case.
Sort of, but not quite, like cherry-picking files out of an archive blob in S3.
(I’ll see if Claude and I can come up with a WARC archive->zip file converter too)
It would be nice if we could see some information such as file size limitations, demos, link structure, management, etc. Am I expected to upload a random HTML file and see how it works?
Yep, I chucked it a file on my desktop: index.html present Max individual file size 25MB Total file count <2000 Total size less than 100MB
Yeah I'm very lost on what this is supposed to do -- "Summon your site" is quite vague. "see it live", like a demo? or is this actually published somewhere? Is it forever?
Desktop mode doesn't show any more information either
It could be fun to use a temporary Mediafire/Rapidshare/Megaupload service. Especially if you need to transfer something between an Android and an iPhone.
Dropped a folder with a small HTML project, and after 20 seconds got "Something went wrong. An unexpected error occurred. Please try again or contact support.".
Note how the error has zero information.
Looking in the network tab, a POST request to /upload returned 403 and an HTML page starting with "Sorry, you have been blocked", and to "email the site owner to let them know you were blocked".
I'm very tired of this adversarial approach to software coupled with vague errors.
EDIT: it was the file './git/hooks/fsmonitor-watchman.sample' created by default on git init. Maybe because it's Perl. Worse-than-useless "please try again" and "you've been blocked" for committing the sin of uploading a folder that's a git repository. Sigh...
Odds are that this new feature will not suffer the same outcome as Megaupload, because of Cloudflare's close relationship with the USG.
Cloudflare is really good at launching features that facility low-friction deployment of malicious content (such as phishing) on the Internet, piggybacking on their hosting reputation and the fact that you can't easily block their ASN or domains.
I don't know your experience. Once I was toying around and doing a basic auth with registration and so. The weekend was over and couldn't get back to that couple of months. The worker was quarantined and marked as phishing automatically. So I believe they have something in place to prevent those you complain.
Your anecdote just illustrates that their system detects legit uses as abuses, not that they have a system that effectively detects abuses.
Cloudflare is also like a Chinese copycat machine. They mostly copy some successful project and sell it at cheap price.
Be the change you want to see to make the world of your dreams.
And then sell its denizens malice protection services.
The internet will soon be flooded with even more scam landing pages.
And you should be using cloudflare to protect yourself...
This definitely won't get used to host unlimited phishing sites. /s
This is so cool.
Cloudflare has the astonishing ability to make me hate them more as a company every new feature they launch.
why?
Every new feature they've launched recently can be used to make the web more dangerous for everyone except those who use Cloudflare.
3 replies →