Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics

Sitelock Update Sticky

A topic by leafo created 17 days ago Views: 1,000 Replies: 21
Viewing posts 1 to 8
Admin (1 edit)


We’ve recently pushed out an update to all HTML5 games that adds a JavaScript based sitelock. If it detects a game from’s CDN is being loaded from a URL it will show a warning and provide a link to the page.

There are over 100k HTML5 games extracted to HTML on our servers. Although we tested as best we could, there’s still the potential that things break.

If you’re having an issue with the sitelock then please leave a reply here describing what’s happening, and include information about your setup/browser. If you run any browser extensions please try disabling them and trying again before reporting the issue (include the extension that caused a problem).

I'm a game owner trying to embed my game...

You can use the upload embed tool on your game’s dashboard. Please do not use the direct link for our CDN. That is not allowed, and this sitelock will now block that type of access. Thanks

Wow, great update. Nearly all of my games at hijacked by browser game hosting sites. I wanted to add some site lock mechanism at first but probably it won't work correctly, plus it will block the legitimate players as well. Also its not big deal for my side, as long as my game is played I'm happy. My only concern was, my connection with the player is cut by some silly ad bloated thief site :) . Maybe player wants to make a bug report or write some comment, but can't reach me. 

I noticed I've been getting extra traffic on my game pages in these days. Mostly from external game hosting sites. So auto site lock update works perfectly, nice work. 

Admin (1 edit)

That’s great news that you’re seeing new traffic! On the referrer analytics, look for a URL that looks like and that will tell you how many people are coming directly from the automated sitelock.

Hey !

One of my game for a gamejam doesn't work anymore, and a link leads here so...

Can you help me ? I already look a little bit stupid on streams showing your hotlink issue... 🥺

At least it was not a stream for the gamejam results... 😀

Hey! I got it!

It must be because the game loads itself in an iframe at the end!

Actually my game jam entry is an adaptation of the game jam entries themselves and you can play my game in my game. And yes, I must confess that it's silly.

But when you check that the game is not hotlinked, do you look at the domain ? Or a game loaded from an iframe is considered an hotlinked one ?

Thanks !


If you’re embedding your own game, then I recommend using the official game embed support detailed here:

For embedding other games, I’m not sure I have a solution for that right now. Are you doing that?

No, I only embed mine. The other ones were only videos.

Thanks a lot. I will follow your link.

(1 edit)

We removed all games from and several other websites. Although we do the same thing, I have been arguing against it because it means less players for developers and less links for sites that distribute content. It's a lose, lose for everyone in my opinion. For game developers that want the biggest player reach, I suggest instead of

Admin (6 edits)

Edit I misread the original post and replied incorrectly assuming they were associated with Y8 games. I clarified below. Sorry about that to anyone reading.

View original post...

I believe you removed them all because:

  • you no longer make ad revenue off our stealing our bandwidth
  • showing a page that tells the user that you are stealing from us is embarrassing

We have an authorized way for developers to create iframe embeds for their games, but what you did was steal without the permission of developers.

I doubt that you feel any sort of remorse about this, as I’m sure there are many other domains on your platform you’re hotlinking without permission that you have no intention of removing. You steal until you’re caught, rinse & repeat, all while showing as many ads as possible to extract as much money as possible.

(2 edits)

I'm just a developer. I've been making games for nearly 20 years, so I don't get emotional about business. It was commonplace to freely distribute Flash games. As a developer, you should intentionally make games that will be picked up by other sites, more players and more money. If someone wants to "steal" my games and iframe them on their site. Please do so, I would be very thankful. The increase in players offsets any tiny bandwidth cost.

Maybe itch can not monetize games that are iframed? I don't work there, so I can't offer much advice. Sounds like a technical problem with the business model. Blocking distribution is causing losses for both itch and the developers that use it.

We do allow links and advertisements inside games. Blocking distribution only gives short term value and eventually results in publishers removing those games. If there is no value for the publishers to publish games, there is little reason to maintain those links to itch and the developers that use this site. Like I said before, we made the same mistake, so I'm speaking from experience, not just self interest.

I added my game, so now technically itch is hotlinking Y8. 🤣 Thank you

Admin (2 edits)

Don’t purposefully break our terms or the terms of other platforms, even if you’re making a joke, or we’ll have to suspend your page. Thanks

Admin (7 edits)

I’m sorry, I completely misread your post. I thought you were someone associated with Y8 since your account was just created and didn’t have any games on it. If they are your games we give you a tool to add iframe embeds on other sites, check it out here:

Really sorry about the confusion, I’ll edit my original post to clarify.

As a developer, you should intentionally make games that will be picked up by other sites, more players and more money

It depends on what kind of developer you are and what your goals are. This is not true for everyone. In fact, it’s not true for the vast majority of people who upload html5 games to Additionally, we took issue with the hotlinking specifically. These other portals could take the games and host them themselves, but they took the laziest approach possible.

Blocking distribution only gives short term value and eventually results in publishers removing those games

I’m not sure what you mean by short term value here. But in any case, we don’t work with publishers who mass publish HTML5 games for portals. We are a self publishing platform for developers to use directly. We want developers to have control over where their property is published.

If a developer wants to build a game packed full of ads, and get it loaded into as many portals as possible that’s fine for them. But, that has to be a choice the developer makes. I hope you understand out stance. Thanks

Deleted post

As a developer, you should intentionally make games that will be picked up by other sites, more players and more money.

Yeah, unless you make free webgames / fangames for fun as a hobby like half of the uploaders actually using this site originally made their accounts for. Because people playing the free stuff you made elsewhere online without having a single clue who even made the thing they're playing isn't exactly beneficial.

Not everything is about maximizing profits and not everyone shares the same goals as you. I pulled every game I ever uploaded here over a year ago because I was getting about 5-10% of the traffic compared to numerous other random websites who just took and placed everything I ever made onto their own pages without a care. 

Like, what was the point of me uploading on this site? To provide some little entertaining content every month for other sites to take & run advertisements alongside? With some of that content meaning to be banned from even making money in the first place? (I.E - Fan games using pre-existing assets which the original developers had nicely agreed for me to use so long as everything was free?)

This is a great update. I only found out it existed because "" hosting one of my older uploads (incorrectly at half the framerate, mind you) no longer functions. Not a clue where that site came from but hey, it's the first Google result from searching for the game's name so clearly they're no stranger to doing this successfully.

If by "" you're referring to, then you should probably know that's Itch's CDN...
Previously the sitelock allowed loading such URLs at top-level (ie not in an iframe), but that changed.

BTW, I did manage to play the game you linked using my 1337 h4x0r1ng skillz (i loaded it in an iframe here on itch), and I gotta say, it's a cool game. I hadn't heard of "Syobon Action" before either, so now I've learned a little bit of gaming history! (and gone down a bit of a rabbit hole... btw, did you know there's another Syobon fan game titled "Syobon Action X"?)

Maybe you could un-hide all of your games now that random sites will have a hard time stealing the games?
Or you could freely ignore weird advice from some internet rando who can't stay focused  : )

(3 edits)

The embeds also fail if you're using an addon like Smart Referer to (try to) your preserve privacy.

I'll try to file an issue and get & it's CDN properly added to the default whitelist.
@leafo, could you link me to an example of a legally/properly externally embeded game?
Also, can be safely harcoded? (or will a more generic exception be needed like * ?)

Meanwhile, to any other users like me, adding this exception did the trick:

Admin (1 edit) is the domain for our HTML5 CDN, is too broad so it should be avoided. We plan to migrate HTML5 games to to * at some point, but we’ve held off for quite some time now because of potential issues, but you can also add it for future proofing.

Here’s a page with an embed on a different domain:

Admin moved this topic to Ideas & Feedback

Could you please add a check if the supposed deeplink comes from the game's page? (I sometimes use "show only this frame" on games that do not seem to play nice with full-screen)

(2 edits)

This just constantly redirects me from to a slow 8s delayed AMP page telling me to use, which redirects me back.

This isn't good for user control of the browser or user privacy.

Admin (2 edits)

It sounds like you’re using some kind of browser extension that is changing how your browser works and is preventing our code from detecting what site the game is being loaded on. I recommend whitelisting our domains. You should let your browser send ancestorOrigins or referrer to the iframe hosted by us. Once you figure it out, if you can tell us what extension/option was blocking games from loading we can look into adding a workaround for it, or provide instructions directly on the page.

Regarding the amp page, we had an issue where we believed the code and page we created was getting blocked by some networks’ firewalls, so we used the amp cache as a quick way to load the page through an alternate URL. There is no personally identifiable information on this page. I’m sorry you don’t trust amp, but we’re unlikely to change it. If you update your extension settings then you should never see that page as long as you’re loading games from Thanks

(2 edits)

Ublock origin and the like are mandatory for browsing given the amount of malware delivered by ad networks and garbage third party javascript. If your site breaks with them, you have a broken site. I won't be adding you to any whitelist, nor will I be "raw dogging" the internet anytime soon.

I'm sorry you don't trust your users, I find no reason to trust you back.


I don’t understand how you jumped to the conclusion about us not trusting our users. We added the sitelock to prevent random sketchy game sites from ripping us and our developers off. If it’s not working for you when viewing a game on, then you’re right, it’s broken.

I suggested testing what extension is causing the issue so we can identify why it’s blocking it and implement a fix to allow you and others to play games on site. The only third-party javascript we load on a project page is going to be google analytics, but you can continue to block that if you’re concerned.