We’re making some relatively minimal changes to how game pages are rendered for security reasons:
iframes, with the exception of itch.io embeds, are now click-to-activate within project’s description, and other developer-provided fields. This is to prevent code on third-party pages from executing automatically when you navigating to someone’s itch.io page. We’ve seen scammers attempt to take advantage of how we treated iframes to initiate a download of malicious code automatically. Additionally, this change will prevent third-party services from automatically performing tracking without your consent. (Note, click-to-active
iframes were already used in comments and community posts, this change now applies the same restrictions to the project pages themselves)
Outbound links are now highlighted when you hover over them. This is to make sure you aware you’re interacting with a link that leaves the platform. Images inside links are also highlighted. The goal here is to prevent someone from crafting page that shows images that appear to be itch.io UI elments but are actually links elsewhere. Additionally, in some circumstances, if we detect a particular link to be suspicious, you may receive a warning when you attempt to click on it.
We’re making these changes in response to the new wave of scammers we’re seeing attempting to distribute malware on itch.io. If you haven’t already, please review the the topic about the “try my game” scam.
If you have any questions or issues, please reply here.