Thanks for the response! It's been 3 days since I obsoleted the build at https://v6p9d9t4.ssl.hwcdn.net/html/1436437-163692/index.html but that looks to still be live. I should note that I didn't explicitly "delete the file from itch", but simply pushed a new build via butler. I'll give the CDN a bit more time as this is not urgent and the DMCA takedown notices I filed seemed to have deterred the offending site(s).
Good to know that I can request a manual CDN purge via support, thanks! I assume I should issue that request via email?
Yep, I've already read about the *.itch.zone futureproofing and the WIP site lock javascript injection. No rush on that, please take your time!
I actually already had my own site lock logic setup, but was struggling to get around iframe embeds since the iframe that the app is loaded in is typically a valid URL even if the parent page is in a completely different domain. A naive check of the application's URL will simply return the iframe URL (which is at https://v6p9d9t4.ssl.hwcdn.net) so that isn't particularly useful for preventing this sort of abuse. To make matters worse, the username.itch.io page is on a different domain so you can't just check parent.document.location or whatever due to same-origin policy.
However! It seems that the document.referrer string is properly set in this case and can be used to examine the URL of the parent page. Fetching this via javascript in Unity-land involves a bit of extra work in terms of returning the string value to C#, but I've successfully updated my projects to examine value of document.referrer to prevent this sort of embed.
For anyone coming across this post in the future, I should note that in addition to checking the referrer URL against your whitelisted domains (yourusername.itch.io/*, yourwebsite.com/*), you should also check the actual direct URL (not referrer) and whitelist it against things like file:///*, localhost/*, localhost:*, and most importantly, itch-cave://* which is used to serve your html5 game when downloaded via the itch app.
Note that it's generally NOT useful to check whether the direct URL of the app resides on https://v6p9d9t4.ssl.hwcdn.net or *.itch.zone as any other site can simply embed your index.html page in an iframe to get around this. I've seen MANY instances of iframes pointing to https://v6p9d9t4.ssl.hwcdn.net in the wild and it wouldn't surprise me if someone had already written a bot to automatically scrape itch.io iframe links in this fashion for re-embedding in their own sites.