Heya,
very nice start to the game, looking forward to how it'll develop in the future - curious what sort of content will come up next, there's so many directions this could go.
I tried looking a bit more closely at the downloads - I don't think this is a popup blocker thing, it's a weirder web security/standards thing, by the looks of it. The main game page is being served with headers
Cross-Origin-Embedder-Policy: credentialless Cross-Origin-Opener-Policy: same-origin
perhaps to enable access to some modern javascript APIs, I don't see this enabled on other pages. Maybe it's behind some sort of "enable fancy embedded content" toggle?
However, the download link seems to be implemented by appending an <iframe> to the end of the document pointing at the download (?!?) and browsers now complain that the CDN server for the download does not return a "cross-origin-resource-policy: cross-origin" header - the earlier headers are explicitly enabling a new web security standard that requires embedded resources to have that header, it does not, so the browser is refusing to embed the resource, as it was explicitly instructed.
Unfortunately, troubleshooting this is probably going to be mostly on the itch.io platform, since they're both serving the project page, set up the CDN, and are likely responsible for the bizarre decision of stashing download links in an iframe. This sounds like it should be a problem for all pages set up like this. You might be able to get it to work by wiggling settings about the embedded web version, but the current second-project-download-link setup does kind of work, though it is a tad clunky. The itch desktop app is able to download the app just fine, though confusingly enough it isn't able to render the project page at all, just showing a blank page.