Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs

DDRKirby(ISQ)

11
Posts
1
Topics
124
Followers
A member registered Sep 09, 2015 · View creator page →

Creator of

Recent community posts

This is great!  Thanks for sharing, I really liked the personalities and relationships you managed to build here.

Great job! :D

Wow.....that was intense.

I like your cover illustration.  It's a concept I've seen before but taken a very different spin.

I love this!  Thanks for sharing :)

Yayyyy :)

Thank you for playing, and for hosting this jam :)

(Toki's font is pretty much the exact handwriting I use when I'm writing letters)

omg this is......so wholesome, aughhh!! *flails* I love it, it's wonderful.  Thank you for writing these relationships and situations!

I love how you took what you had going in the first game and really made it into something even more wonderful in the second.  Arghhh I really want to meet these lovely people IRL now ahhhhh

http://www.freewebarcade.com/

https://kbhgames.com

They seem to also host a good number of the games on their own servers so I'm not sure that they always/only use itch.io-hosted iframe embeds -- perhaps they only did so for my game since I had site-locking that required them to do so (?)

My game has since been taken down from both of these sites.

(2 edits)

Thanks for the response!  It's been 3 days since I obsoleted the build at https://v6p9d9t4.ssl.hwcdn.net/html/1436437-163692/index.html but that looks to still be live.  I should note that I didn't explicitly "delete the file from itch", but simply pushed a new build via butler.  I'll give the CDN a bit more time as this is not urgent and the DMCA takedown notices I filed seemed to have deterred the offending site(s).

Good to know that I can request a manual CDN purge via support, thanks!  I assume I should issue that request via email?

Yep, I've already read about the *.itch.zone futureproofing and the WIP site lock javascript injection.  No rush on that, please take your time!

I actually already had my own site lock logic setup, but was struggling to get around iframe embeds since the iframe that the app is loaded in is typically a valid URL even if the parent page is in a completely different domain.  A naive check of the application's URL will simply return the iframe URL (which is at https://v6p9d9t4.ssl.hwcdn.net) so that isn't particularly useful for preventing this sort of abuse.  To make matters worse, the username.itch.io page is on a different domain so you can't just check parent.document.location or whatever due to same-origin policy.

However!  It seems that the document.referrer string is properly set in this case and can be used to examine the URL of the parent page.  Fetching this via javascript in Unity-land involves a bit of extra work in terms of returning the string value to C#, but I've successfully updated my projects to examine value of document.referrer to prevent this sort of embed.

For anyone coming across this post in the future, I should note that in addition to checking the referrer URL against your whitelisted domains (yourusername.itch.io/*, yourwebsite.com/*), you should also check the actual direct URL (not referrer) and whitelist it against things like file:///*, localhost/*, localhost:*, and most importantly, itch-cave://* which is used to serve your html5 game when downloaded via the itch app.

Note that it's generally NOT useful to check whether the direct URL of the app resides on https://v6p9d9t4.ssl.hwcdn.net or *.itch.zone as any other site can simply embed your index.html page in an iframe to get around this.  I've seen MANY instances of iframes pointing to https://v6p9d9t4.ssl.hwcdn.net in the wild and it wouldn't surprise me if someone had already written a bot to automatically scrape itch.io iframe links in this fashion for re-embedding in their own sites.

Alternatively, could we use the CSP frame ancestors directive to prevent iframe embeds from other domains?

Hi there!

Online game theft is a common occurrence as I'm sure you all know and itch.io's html5 embed code makes it easier than ever for people to simply copy-paste the iframe that points to https://v6p9d9t4.ssl.hwcdn.net/html/.../index.html  and presto!  They've stolen your game.

Unfortunately due to same-origin policy it's not possible to determine where your iframe is embedded in from the app itself so until the itch team perhaps restricts hotlinking this sort of exploit is just possible.  I've seen several sites already that simply scrape itch and embed links to itch.io html5 index pages, essentially utilizing itch's webhosting and bandwidth to drive traffic to their own (ad-supported) sites.  Sad times!

As devs we can change the urls at which our builds are hosted by uploading new builds, which leads to a new path under https://v6p9d9t4.ssl.hwcdn.net, but unfortunately right now the older builds are still available so the offending sites' embed code still works.

Is there any functionality available to REMOVE an old build from the https://v6p9d9t4.ssl.hwcdn.net hosting service?  I understand that DRM and site-locking is inherently not a trivial problem but I would imagine that this basic step of deleting the old hosted builds should be doable.

Thanks!

Same issue and similar log here!  I'm on windows server 2012.  Sorry I can't be of more use in diagnosing, feel free to ping me @ddrkirbyisq if you get an updated version up!