Skip to main content

Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines

Notice for HTML game devs: Upcoming change to CDN domain

A topic by leafo created Aug 29, 2023 Views: 16,469 Replies: 21
Viewing posts 1 to 10
Admin (3 edits) (+10)

Hello everyone,

Edit: As of November 22nd we are fully migrated to the new domains and CDN

Our current CDN provider is shutting down and we’ll me migrating to a new provider. This should not affect you in any way unless you distribute HTML/JavaScript games. We will be forced to change the default domain used to serve this content.

  • The following domain will no longer be used for HTML games & projects: v6p9d9t4.ssl.hwcdn.net
  • The default domain for HTML games will be changed to html-classic.itch.zone
  • The migration will happen in the next 90 days – we were recently notified of this update so we’ll post another update when we know the specific timeline.

Unfortunately, when we first launched HTML game support, we used a domain that was provisioned by our CDN. This came with some disadvantages, but we avoided changing it to prevent interruption to users. We are now being forced to switch away from this domain due to the change in providers. This may impact you in the following ways:

  • If you used domain-based site locking for the domain v6p9d9t4.ssl.hwcdn.net, your game will no longer work unless you add additional domains. Generally we recommend that if you use site locking, you allow the domain pattern *.itch.zone. Any new CDN configurations we provision will always use a subdomain on itch.zone.
  • Games that used save game state within the browser will lose all their save data, as things like localStorage are tied to the domain of the executing JavaScript code – Unfortunately there is no way around this limitation. You will either need to provide a way to export and import save game data in your game, or you will need to integrate with a hosted API that provides save data storage

If you weren’t aware, for the past year we have provided a separate CDN configuration that serves your game through a domain we control, html.itch.zone. If you are already using this option then you will not be affected by this update. Learn more here: https://itch.io/t/2025776/experimental-sharedarraybuffer-support Note that due to changes in response headers, this domain has not been set as the default for new projects, it is currently opt-in.

If you have any questions you can reply in this thread

Pinned ReplyAdmin (1 edit) (+2)

Hello again,

This change will be happening this coming week (week of November 12th).

I’ll post again when it’s live. We’ll be migrating over services incrementally during the week.

Pinned ReplyAdmin(+1)

The new domain is now deployed.

(+2)

Is there going to be a pattern for the `*.itch.zone.` domain? E.g. "your-itch-domain.your-game-name.itch.zone" or something similar?

Admin (3 edits) (+2)

There are no plans to add account-specific subdomains on html hosted games as part of this update. These domains are not visible to the end user, so there is no purpose in having vanity URLs.

One potential use case is save-game isolation, is that something you are concerned about?

Only the following domains will be used for HTML games after this migration takes place:

  • html-classic.itch.zone
  • html.itch.zone

But we may use other *.itch.zone domains in the future for different configurations, which is why we recommend those who use site-locks to use the wildcard domain.

(1 edit) (+11)

save-game isolation is important. 

  • Some simple engines don't allow the author to change the save "id" and those saves clash between different games. 
  • localStorage is limited per domain (5 or 10 MB depending on the browser) so one game can reach the limit and cause issues for all other games
  • if one clears the localStorage to solve an issue with a game, it clears it for all games 

Vanity URL are indeed not needed but somewhat unique URLs are.

Admin (1 edit) (+4)

Our current CDN doesn’t make it trivial to provision wildcard domains and certs, so it wasn’t something we were able to provide. It’s possible with our new provider this may become an option, but at this time we haven’t made any decisions about which provider we will be using so I can’t say for certain.

(+1)

I'll sell my kidneys to pay for this feature

(+1)

With LetsEncrypt, would a wildcard cert even really be necessary? You could just generate a cert for a new subdomain whenever a new user publishes an HTML game for the first time. They do have rate limits but I imagine the public one could be workable, and if not, one can always contact them to work out potential rate limit increases (there's a form on their rate limits page for it).

(+1)

Save-game isolation too, but I was also building an online service that would benefit greatly if I could check which game was connecting to it. Knowing WHICH game is unnecessary, as long as I could differentiate between games using an unique-id.

Save-game isolation is a much more pressing danger, though.

(3 edits) (+7)

Not having any isolation between games seems like a massive security/privacy issue unless I’m seriously misunderstanding the situation.

  • Any game or its analytics/ads could essentially see a list of every other game a user has played that saved anything locally. This seems especially serious since itch.io hosts a lot of NSFW games as well as games geared towards marginalized groups.
  • A troll could upload a game that messes with or deletes saves from other games. I know the public listings are moderated, but itch.io is often used for game jams where people share direct links to games that haven’t been checked yet, which bypasses moderation. Even an unintentional bug in one game could wipe saves from others.
  • Some of the game-making tools at https://itch.io/tools/platform-web run in the browser and also save to local storage. This means that a malicious game/tool could steal someone’s works in progress, or private games they are making for themselves and don’t intend to share, if they use any of those tools.
  • the user granting any permission (location services, camera, microphone, notifications, etc) to one game would grant that permission to all games

Don’t believe me? It’s right there in the OWASP cheat sheet: “ Avoid hosting multiple applications on the same origin, all of them would share the same localStorage object, use different subdomains instead.”

(+13)

I've published a quick & dirty ultra minimalist tool to export one's localStorage as a JSON file and import it on the new domain later.

https://crocmiam.itch.io/itch-localstorage-export-import

Will My HTML5 Game be affected? It plays Only in Browser At The Moment. I Made it able to Pre-Order Today and Made a Founder's Sale to spark interest for the Game.

(+1)

Yes, all html5 games will be affected. The moment your game gets moved to the new domain, all of your players will loose their game saves. This is inevitable. You could give a warning beforehand and maybe add a feature to download/upload save files.

Can we have some reassurance that this situation is less dire than it looks? Previous posters have already laid out the apparent problems, but it would be nice to know it’s not as bad as it seems.

(+1)

Regarding domain lock...

I put my first game on here yesterday, and to provide a domain lock I checked document.referrer like so:

Pseudo-code:
       if (window!=window.parent) HostCheck(document.referrer); // if in an iframe, get the referrer and check that.

It worked in all my tests and this way the hosting url doesn't matter because I test against my subdomain sclanim.itch.io

So my question is:

Is this okay? or is my method mistaken in some way?

(+4)

I wish itch would pass an anonymized user ID/signed token to HTML5 games so we could have frictionless authentication for remote game saves.

Yeah, That would be huge + allow for a ton of other features too!

I would love this also.

Hi! Is this change still scheduled to happen within 90 days of the original post? So if I release a game December 1st, my game won't be affected as that's after the change?

Admin

Our existing CDN provider will be completely shut down by end of November. We will be migrating before then. I still don’t have the exact date at this time, but should be in the coming weeks as we’ve just started testing the new integration.

Generally, most games will not be affected at all. Is there something in particular you’re concerned about with regards to delaying the release of your game? If it’s a save game issue you can opt into the itch.zone domain today and the migration will have no impact on your project.

Got it, thanks! It is indeed a save game issue, but as long as the migration happens before the end of November, it won't affect me at all.