Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics

Click-to-activate iframes and outbound link highlighting on project pages

A topic by leafo created 21 days ago Views: 394 Replies: 12
Viewing posts 1 to 6
Admin (1 edit)

We’re making some relatively minimal changes to how game pages are rendered for security reasons:

All iframes, with the exception of embeds, are now click-to-activate within project’s description, and other developer-provided fields. This is to prevent code on third-party pages from executing automatically when you navigating to someone’s page. We’ve seen scammers attempt to take advantage of how we treated iframes to initiate a download of malicious code automatically. Additionally, this change will prevent third-party services from automatically performing tracking without your consent. (Note, click-to-active iframes were already used in comments and community posts, this change now applies the same restrictions to the project pages themselves)

Outbound links are now highlighted when you hover over them. This is to make sure you aware you’re interacting with a link that leaves the platform. Images inside links are also highlighted. The goal here is to prevent someone from crafting page that shows images that appear to be UI elments but are actually links elsewhere. Additionally, in some circumstances, if we detect a particular link to be suspicious, you may receive a warning when you attempt to click on it.

We’re making these changes in response to the new wave of scammers we’re seeing attempting to distribute malware on If you haven’t already, please review the the topic about the “try my game” scam.

If you have any questions or issues, please reply here.

While I appreciate the efforts, can I suggest that the outbound links have a tooltip style pop-up instead of the frame + text? Something like this one from Wikipedia

Admin (1 edit) (+1)

Unfortunately we’re dealing with scammers trying to make fake UI to trick users. We don’t have the same goals as Wikipedia here. For the time being we’re making the status of a link and contained image very obvious. Because pages can be themed, we have more situations to account for.

You should probably put the red 'external link' notice on the Amazon, Google and similar badges too.


This change only applies to user-formatted content. UI provided by will not have this, even if it is a link to an external site. I feel like these badges are explicit enough to not need additional labeling, but we may revisit in the future.

There's a bug with the external link overlay: if there's text under the popup, it renders in front of it (especially problematic when it's another link).


Thanks for the report, fix should be deployed.


Hey, thanks for posting about this. It is good to see the site's security being taken seriously, though I do have some issues with how this change affects the aesthetic of project pages.

I primarily use itch to sell sound libraries, and I have found that pages can look quite nice if I have a large YouTube embed with the sound library's trailer that takes up the width of the page. Now I feel that my pages look quite bare, because the "click to activate YouTube" video is comparatively small and is left-aligned. I also feel it's a bit less "idiot-proof" (for lack of a better term 😉) to hear an example of my sound libraries.

Is there any possibility for any websites to be "whitelisted", so they appear as before without needing to be enabled? I don't claim to understand the technical aspects of it, but I would imagine that iframes from YouTube or SoundCloud for example would be safe. And from what I can tell, it does appear that the "activate" box is aware that the iframe is a YouTube video and already displays it differently to the generic "activate" box. Perhaps trusted websites like these could be displayed as before?

And another thought that may or may not be possible - could the new "click to activate" boxes be made to match the size of the original iframe? This would minimise the effect the new system has on page layout.


I have the same problem! I'm not a fan of how it affects the layout of the page:(

Admin (2 edits) (+1)

Is there any possibility for any websites to be “whitelisted”, so they appear as before without needing to be enabled? I don’t claim to understand the technical aspects of it, but I would imagine that iframes from YouTube or SoundCloud for example would be safe.

From a privacy perspective, we are moving away from automatic embeds from third-party platforms. Users will have to opt-in to loading these iframes by clicking on them. Where possible, we can try to insert an image in the placeholder to communicate what is embedded. (We do this with YouTube videos currently)

And another thought that may or may not be possible - could the new “click to activate” boxes be made to match the size of the original iframe?

I think this is something we’ll likely explore in the future.


(1 edit) (+1)

Agreeing with Matt that YT and Soundcloud embeds should be safe enough to be whitelisted, as the layout pages looks really unsightly now.


Disabling auto-showing of SoundCloud playlists directly hurts my ability to sell my music packs on itch. It is not obvious at all to visitors that the new 'click to enable embeds' thing will display a SoundCloud playlist. Forcing people to click on a thing they don't immediately understand in order to display a thing they don't know is available is really... bad. I understand the security concerns you're facing, but if those security concerns aren't coming from SoundCloud playlists, please find a way to enable them to auto-display again.

Maybe you could add a custom-built field in the product creation template that is specifically for SoundCloud playlists similar to how you have one for a trailer video. To be effective at all, those playlists really need to auto-display. There are a lot of soundware creators on itch, and as it stands the current change hurts all of them.

Deleted 3 days ago

Please don’t post on unrelated topics to try to get attention. Submitting a report for the page, a support ticket, or a new thread is the right way to go. Do not reply to random topics or posts created by admins or moderators.