That's how itch.io is designed to work. There are ways to set the headers right, but I don't know how.

For anyone who's curious, I attempted the following work-around:

1. Detect if the game is running on iPad
2. If so, prompt the user to click a link to load the frame's URL in a new tab (ensuring localStorage writes are no longer cross-domain)

#2 works, but, to my surprise, I couldn't find a reliable way to determine if the user is on an iPad. Recent Safari updates make iPads (and iPhones) claim to be desktop Macs, so you have to resort to fragile fingerprinting techniques. (Unsurprisingly, there also is no way to detect if "Prevent Cross-Site Tracking" is enabled.)

If anyone has other ideas, let me know!

We have to run games in an iframe on a different domain for security reasons:

• We can not run games on the same domain as itchio since we are letting you execute untrusted JavaSript.
• It must run in an iframe embedded on an itchio domain for us to apply site-locking. Site locking is to mitigate third-party game aggregators that steal our games to put ads on top of them. They will reuse our CDN to host them and end up costing us bandwidth money. (Note that you may be able to load the embed by direct URL, but sitelocking is applied asynchronously and may activate at a later time in the future. There is no guarantee the CDN URL will continue to work directly, you should instead use the embed code to link directly to a game: https://itch.io/updates/introducing-game-embeds)

Unfortunately there are limited things we can do here, other than instructing users to change their browser’s security settings. Having the user visit the domain ahead of time could be valid approach, but I don’t recommend having them visit the game’s page directly. Alternatively you could use some kind of third party API to host save data but then you would have to deal with the privacy implications.