Skip to main content

Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
itch.io Community » itch.io » Questions & Support

HTML5 Hotlinking and Game theft (Deleting builds from html5 hosting?)

A topic by DDRKirby(ISQ) created May 29, 2019 Views: 1,762 Replies: 8
Viewing posts 1 to 6
DDRKirby(ISQ)5 years ago(+1)

Hi there!

Online game theft is a common occurrence as I'm sure you all know and itch.io's html5 embed code makes it easier than ever for people to simply copy-paste the iframe that points to https://v6p9d9t4.ssl.hwcdn.net/html/.../index.html  and presto!  They've stolen your game.

Unfortunately due to same-origin policy it's not possible to determine where your iframe is embedded in from the app itself so until the itch team perhaps restricts hotlinking this sort of exploit is just possible.  I've seen several sites already that simply scrape itch and embed links to itch.io html5 index pages, essentially utilizing itch's webhosting and bandwidth to drive traffic to their own (ad-supported) sites.  Sad times!

As devs we can change the urls at which our builds are hosted by uploading new builds, which leads to a new path under https://v6p9d9t4.ssl.hwcdn.net, but unfortunately right now the older builds are still available so the offending sites' embed code still works.

Is there any functionality available to REMOVE an old build from the https://v6p9d9t4.ssl.hwcdn.net hosting service?  I understand that DRM and site-locking is inherently not a trivial problem but I would imagine that this basic step of deleting the old hosted builds should be doable.

Thanks!

Reply
DDRKirby(ISQ)5 years ago(+1)

Alternatively, could we use the CSP frame ancestors directive to prevent iframe embeds from other domains?

Reply
leafoAdmin5 years ago (1 edit) (+1)

Links from that domain are our CDN. If you delete a file from our site, then it will get purged from the CDN generally within a day or so. If there's a particular file you want purged immediately you can contact us via support.

We have an automatic site locking system in progress but have not deployed it yet because we haven't had a chance to verify compatibility. There's no reliable way to do it with HTTP headers so it involves injecting javascript.  This would be the first time we're manipulating files uploaded by people so we have to be careful.

You as a developer can also implement your own site locked, this is something we've recommended in the past. If you do implement it, please also authorize the domain *.itch.zone since we may migrate CDN domain at some point.

Reply
DDRKirby(ISQ)5 years ago (2 edits)

Thanks for the response!  It's been 3 days since I obsoleted the build at https://v6p9d9t4.ssl.hwcdn.net/html/1436437-163692/index.html but that looks to still be live.  I should note that I didn't explicitly "delete the file from itch", but simply pushed a new build via butler.  I'll give the CDN a bit more time as this is not urgent and the DMCA takedown notices I filed seemed to have deterred the offending site(s).

Good to know that I can request a manual CDN purge via support, thanks!  I assume I should issue that request via email?

Yep, I've already read about the *.itch.zone futureproofing and the WIP site lock javascript injection.  No rush on that, please take your time!

I actually already had my own site lock logic setup, but was struggling to get around iframe embeds since the iframe that the app is loaded in is typically a valid URL even if the parent page is in a completely different domain.  A naive check of the application's URL will simply return the iframe URL (which is at https://v6p9d9t4.ssl.hwcdn.net) so that isn't particularly useful for preventing this sort of abuse.  To make matters worse, the username.itch.io page is on a different domain so you can't just check parent.document.location or whatever due to same-origin policy.

However!  It seems that the document.referrer string is properly set in this case and can be used to examine the URL of the parent page.  Fetching this via javascript in Unity-land involves a bit of extra work in terms of returning the string value to C#, but I've successfully updated my projects to examine value of document.referrer to prevent this sort of embed.

For anyone coming across this post in the future, I should note that in addition to checking the referrer URL against your whitelisted domains (yourusername.itch.io/*, yourwebsite.com/*), you should also check the actual direct URL (not referrer) and whitelist it against things like file:///*, localhost/*, localhost:*, and most importantly, itch-cave://* which is used to serve your html5 game when downloaded via the itch app.

Note that it's generally NOT useful to check whether the direct URL of the app resides on https://v6p9d9t4.ssl.hwcdn.net or *.itch.zone as any other site can simply embed your index.html page in an iframe to get around this.  I've seen MANY instances of iframes pointing to https://v6p9d9t4.ssl.hwcdn.net in the wild and it wouldn't surprise me if someone had already written a bot to automatically scrape itch.io iframe links in this fashion for re-embedding in their own sites.

Reply
leafoAdmin5 years ago

Do you mind listing the offending sites? You can email them to support@itch.io if you don't want to give them any more attention. Thanks

Reply
DDRKirby(ISQ)5 years ago(+1)

http://www.freewebarcade.com/

https://kbhgames.com

They seem to also host a good number of the games on their own servers so I'm not sure that they always/only use itch.io-hosted iframe embeds -- perhaps they only did so for my game since I had site-locking that required them to do so (?)

My game has since been taken down from both of these sites.

Reply
leafoAdmin5 years ago(+2)

Just a quick update for anyone who comes across this topic: We deployed automatic javascript-based sitelock across all html5 games. It replaces your game with a banner that encourages to viewer to go directly to your itch.io page. It should help capture traffic from the sites that have been trying to steal itch.io CDN urls up until now. Thanks!

If you have an issue or any questions about it, please post here: https://itch.io/t/614172/sitelock-update

Reply
TheClicketyBoom4 years ago

does this work with the zipped uploads? I am using UE4 and could NOT find a way to lock to itch :(

Reply
leafoAdmin4 years ago(+1)

The latest update will apply to all HTML5 games. The code injection is delayed though so it may not be instantly available on your page.

Reply
This topic has been auto-archived and can no longer be posted in because there haven't been any posts in a while.
AboutFAQBlogContact us
Copyright © 2024 itch corp · Directory · Terms · Privacy · Cookies