Skip to main content

Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
leafoAdmin1 year ago (3 edits) (+2)

There are no plans to add account-specific subdomains on html hosted games as part of this update. These domains are not visible to the end user, so there is no purpose in having vanity URLs.

One potential use case is save-game isolation, is that something you are concerned about?

Only the following domains will be used for HTML games after this migration takes place:

  • html-classic.itch.zone
  • html.itch.zone

But we may use other *.itch.zone domains in the future for different configurations, which is why we recommend those who use site-locks to use the wildcard domain.

Reply
CrocMiam1 year ago (1 edit) (+11)

save-game isolation is important. 

  • Some simple engines don't allow the author to change the save "id" and those saves clash between different games. 
  • localStorage is limited per domain (5 or 10 MB depending on the browser) so one game can reach the limit and cause issues for all other games
  • if one clears the localStorage to solve an issue with a game, it clears it for all games 

Vanity URL are indeed not needed but somewhat unique URLs are.

Reply
leafoAdmin1 year ago (1 edit) (+4)

Our current CDN doesn’t make it trivial to provision wildcard domains and certs, so it wasn’t something we were able to provide. It’s possible with our new provider this may become an option, but at this time we haven’t made any decisions about which provider we will be using so I can’t say for certain.

Reply
Mango Scribble1 year ago(+1)

I'll sell my kidneys to pay for this feature

Reply
Daiz1 year ago(+1)

With LetsEncrypt, would a wildcard cert even really be necessary? You could just generate a cert for a new subdomain whenever a new user publishes an HTML game for the first time. They do have rate limits but I imagine the public one could be workable, and if not, one can always contact them to work out potential rate limit increases (there's a form on their rate limits page for it).

Reply
perons1 year ago(+1)

Save-game isolation too, but I was also building an online service that would benefit greatly if I could check which game was connecting to it. Knowing WHICH game is unnecessary, as long as I could differentiate between games using an unique-id.

Save-game isolation is a much more pressing danger, though.

Reply
Dale Price1 year ago (3 edits) (+7)

Not having any isolation between games seems like a massive security/privacy issue unless I’m seriously misunderstanding the situation.

  • Any game or its analytics/ads could essentially see a list of every other game a user has played that saved anything locally. This seems especially serious since itch.io hosts a lot of NSFW games as well as games geared towards marginalized groups.
  • A troll could upload a game that messes with or deletes saves from other games. I know the public listings are moderated, but itch.io is often used for game jams where people share direct links to games that haven’t been checked yet, which bypasses moderation. Even an unintentional bug in one game could wipe saves from others.
  • Some of the game-making tools at https://itch.io/tools/platform-web run in the browser and also save to local storage. This means that a malicious game/tool could steal someone’s works in progress, or private games they are making for themselves and don’t intend to share, if they use any of those tools.
  • the user granting any permission (location services, camera, microphone, notifications, etc) to one game would grant that permission to all games

Don’t believe me? It’s right there in the OWASP cheat sheet: “ Avoid hosting multiple applications on the same origin, all of them would share the same localStorage object, use different subdomains instead.”

Reply
AboutFAQBlogContact us
Copyright © 2024 itch corp · Directory · Terms · Privacy · Cookies