MediaDownload v0.1.7
Security, reliability, and feature release.
Security
- Cross-origin (CSRF) defense on the local server: Host-header allowlist (also blocks DNS-rebinding), Origin/Referer loopback checks on state-changing requests, and
application/jsonrequired for JSON bodies. - Downloads and Reveal-in-Finder are confined to allowed folders (default dir + folders you pick); sensitive locations are refused. Closes a cross-origin write-to-arbitrary-folder path.
- Thumbnail fetches now go through the hardened, SSRF-guarded opener (no redirect-to-internal).
- Auth-looking query values are redacted from surfaced errors and logs.
Reliability
- Direct downloads verify the expected size before finalizing (no silently truncated files) and keep the partial for resume;
.partfiles are keyed per-URL so parallel downloads can't corrupt each other, and resume is validated withIf-Rangeso a changed resource restarts instead of appending onto a stale partial. - Worker failures now surface as a failed job instead of a stuck one; a batch with cancelled/skipped items reports "completed with warnings".
Features
- Durable discovery that survives restart, byte-level progress, and real provenance (final URL, resolved quality/codec/container/bitrate) in metadata and the UI.
- Retry failed items in place within the same batch; cancel a single item; caption language modes (Original / All / specific).
- Errors, discovery failures, and destructive actions are now surfaced/confirmed in the UI; a destination folder can be typed in browser mode.
Packaging
- Reproducible builds from pinned dependencies; release signing fails loudly on error; broader packaged-app smoke test.
Verification
- Source QA:
68 passed. - macOS app bundle: signed, notarized, stapled, and validated.
- DMG: signed, notarized, stapled, and validated.