We have to run games in an iframe on a different domain for security reasons:
- We can not run games on the same domain as itchio since we are letting you execute untrusted JavaSript.
- It must run in an iframe embedded on an itchio domain for us to apply site-locking. Site locking is to mitigate third-party game aggregators that steal our games to put ads on top of them. They will reuse our CDN to host them and end up costing us bandwidth money. (Note that you may be able to load the embed by direct URL, but sitelocking is applied asynchronously and may activate at a later time in the future. There is no guarantee the CDN URL will continue to work directly, you should instead use the embed code to link directly to a game: https://itch.io/updates/introducing-game-embeds)
Unfortunately there are limited things we can do here, other than instructing users to change their browser’s security settings. Having the user visit the domain ahead of time could be valid approach, but I don’t recommend having them visit the game’s page directly. Alternatively you could use some kind of third party API to host save data but then you would have to deal with the privacy implications.