Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics


A member registered Sep 09, 2015 · View creator page →

Creator of

Recent community posts

Feel free to download the html5 version, either directly or via the itch app.

Thank you for playing.  I'm glad that my game was able to bring forth these feelings.

Fading the opacity of the UI elements, designing the levels in such a way that this isn't an issue, or simply increasing the height of the viewport so that the UI occupies a separate space.

This issue should now be fixed in v1.1.1

Thanks for the bug report!  This should be fixed now in version 1.1.1.  Thanks for playing :)

Thanks for the report!  I'll be fixing respawn bugs in a few days hopefully!

Feel free to download the build, or use the app.

Thank you for sharing this!  The visuals and soundtrack are both inspirational in informing my own creative works.

Thanks for the report!  As noted on the page there's unfortunately some intermittent issues with Godot WebGL builds failing to start (not limited to this game).  The downloadable version should work just fine though!

Thanks for the report!  This is actually not Firefox-specific -- the copy violation depends on the presence of the "document.referrer" tag to verify that the game is being loaded from a whitelisted domain (and not some other website trying to steal the game).  If you have the referrer header disabled, then this obviously won't work.

To change the config value you can go to about:config and change the network.http.sendRefererHeader value back to the default of "2".

This is great!  Thanks for sharing, I really liked the personalities and relationships you managed to build here.

Great job! :D

Wow.....that was intense.

I like your cover illustration.  It's a concept I've seen before but taken a very different spin.

I love this!  Thanks for sharing :)

Yayyyy :)

Thank you for playing, and for hosting this jam :)

(Toki's font is pretty much the exact handwriting I use when I'm writing letters)

omg this wholesome, aughhh!! *flails* I love it, it's wonderful.  Thank you for writing these relationships and situations!

I love how you took what you had going in the first game and really made it into something even more wonderful in the second.  Arghhh I really want to meet these lovely people IRL now ahhhhh

They seem to also host a good number of the games on their own servers so I'm not sure that they always/only use iframe embeds -- perhaps they only did so for my game since I had site-locking that required them to do so (?)

My game has since been taken down from both of these sites.

(2 edits)

Thanks for the response!  It's been 3 days since I obsoleted the build at but that looks to still be live.  I should note that I didn't explicitly "delete the file from itch", but simply pushed a new build via butler.  I'll give the CDN a bit more time as this is not urgent and the DMCA takedown notices I filed seemed to have deterred the offending site(s).

Good to know that I can request a manual CDN purge via support, thanks!  I assume I should issue that request via email?

Yep, I've already read about the * futureproofing and the WIP site lock javascript injection.  No rush on that, please take your time!

I actually already had my own site lock logic setup, but was struggling to get around iframe embeds since the iframe that the app is loaded in is typically a valid URL even if the parent page is in a completely different domain.  A naive check of the application's URL will simply return the iframe URL (which is at so that isn't particularly useful for preventing this sort of abuse.  To make matters worse, the page is on a different domain so you can't just check parent.document.location or whatever due to same-origin policy.

However!  It seems that the document.referrer string is properly set in this case and can be used to examine the URL of the parent page.  Fetching this via javascript in Unity-land involves a bit of extra work in terms of returning the string value to C#, but I've successfully updated my projects to examine value of document.referrer to prevent this sort of embed.

For anyone coming across this post in the future, I should note that in addition to checking the referrer URL against your whitelisted domains (*,*), you should also check the actual direct URL (not referrer) and whitelist it against things like file:///*, localhost/*, localhost:*, and most importantly, itch-cave://* which is used to serve your html5 game when downloaded via the itch app.

Note that it's generally NOT useful to check whether the direct URL of the app resides on or * as any other site can simply embed your index.html page in an iframe to get around this.  I've seen MANY instances of iframes pointing to in the wild and it wouldn't surprise me if someone had already written a bot to automatically scrape iframe links in this fashion for re-embedding in their own sites.

Alternatively, could we use the CSP frame ancestors directive to prevent iframe embeds from other domains?

Hi there!

Online game theft is a common occurrence as I'm sure you all know and's html5 embed code makes it easier than ever for people to simply copy-paste the iframe that points to  and presto!  They've stolen your game.

Unfortunately due to same-origin policy it's not possible to determine where your iframe is embedded in from the app itself so until the itch team perhaps restricts hotlinking this sort of exploit is just possible.  I've seen several sites already that simply scrape itch and embed links to html5 index pages, essentially utilizing itch's webhosting and bandwidth to drive traffic to their own (ad-supported) sites.  Sad times!

As devs we can change the urls at which our builds are hosted by uploading new builds, which leads to a new path under, but unfortunately right now the older builds are still available so the offending sites' embed code still works.

Is there any functionality available to REMOVE an old build from the hosting service?  I understand that DRM and site-locking is inherently not a trivial problem but I would imagine that this basic step of deleting the old hosted builds should be doable.


Same issue and similar log here!  I'm on windows server 2012.  Sorry I can't be of more use in diagnosing, feel free to ping me @ddrkirbyisq if you get an updated version up!