This is great! Thanks for sharing, I really liked the personalities and relationships you managed to build here.
Recent community posts
omg this is......so wholesome, aughhh!! *flails* I love it, it's wonderful. Thank you for writing these relationships and situations!
I love how you took what you had going in the first game and really made it into something even more wonderful in the second. Arghhh I really want to meet these lovely people IRL now ahhhhh
They seem to also host a good number of the games on their own servers so I'm not sure that they always/only use itch.io-hosted iframe embeds -- perhaps they only did so for my game since I had site-locking that required them to do so (?)
My game has since been taken down from both of these sites.
Thanks for the response! It's been 3 days since I obsoleted the build at https://v6p9d9t4.ssl.hwcdn.net/html/1436437-163692/index.html but that looks to still be live. I should note that I didn't explicitly "delete the file from itch", but simply pushed a new build via butler. I'll give the CDN a bit more time as this is not urgent and the DMCA takedown notices I filed seemed to have deterred the offending site(s).
Good to know that I can request a manual CDN purge via support, thanks! I assume I should issue that request via email?
I actually already had my own site lock logic setup, but was struggling to get around iframe embeds since the iframe that the app is loaded in is typically a valid URL even if the parent page is in a completely different domain. A naive check of the application's URL will simply return the iframe URL (which is at https://v6p9d9t4.ssl.hwcdn.net) so that isn't particularly useful for preventing this sort of abuse. To make matters worse, the username.itch.io page is on a different domain so you can't just check parent.document.location or whatever due to same-origin policy.
For anyone coming across this post in the future, I should note that in addition to checking the referrer URL against your whitelisted domains (yourusername.itch.io/*, yourwebsite.com/*), you should also check the actual direct URL (not referrer) and whitelist it against things like file:///*, localhost/*, localhost:*, and most importantly, itch-cave://* which is used to serve your html5 game when downloaded via the itch app.
Note that it's generally NOT useful to check whether the direct URL of the app resides on https://v6p9d9t4.ssl.hwcdn.net or *.itch.zone as any other site can simply embed your index.html page in an iframe to get around this. I've seen MANY instances of iframes pointing to https://v6p9d9t4.ssl.hwcdn.net in the wild and it wouldn't surprise me if someone had already written a bot to automatically scrape itch.io iframe links in this fashion for re-embedding in their own sites.
Online game theft is a common occurrence as I'm sure you all know and itch.io's html5 embed code makes it easier than ever for people to simply copy-paste the iframe that points to https://v6p9d9t4.ssl.hwcdn.net/html/.../index.html and presto! They've stolen your game.
Unfortunately due to same-origin policy it's not possible to determine where your iframe is embedded in from the app itself so until the itch team perhaps restricts hotlinking this sort of exploit is just possible. I've seen several sites already that simply scrape itch and embed links to itch.io html5 index pages, essentially utilizing itch's webhosting and bandwidth to drive traffic to their own (ad-supported) sites. Sad times!
As devs we can change the urls at which our builds are hosted by uploading new builds, which leads to a new path under https://v6p9d9t4.ssl.hwcdn.net, but unfortunately right now the older builds are still available so the offending sites' embed code still works.
Is there any functionality available to REMOVE an old build from the https://v6p9d9t4.ssl.hwcdn.net hosting service? I understand that DRM and site-locking is inherently not a trivial problem but I would imagine that this basic step of deleting the old hosted builds should be doable.