itch.io Spring Selects Series A
On Sale: GamesAssetsToolsTabletopComics
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
Tags

Sitelock Update

A topic by leafo created Nov 23, 2019 Views: 16,063 Replies: 92
Viewing posts 1 to 20 of 43 · Next page · Last page
Admin (1 edit) (+6)

Hello,

We’ve recently pushed out an update to all HTML5 games that adds a JavaScript based sitelock. If it detects a game from itch.io’s CDN is being loaded from a non-itch.io URL it will show a warning and provide a link to the itch.io page.

There are over 100k HTML5 games extracted to HTML on our servers. Although we tested as best we could, there’s still the potential that things break.

If you’re having an issue with the sitelock then please leave a reply here describing what’s happening, and include information about your setup/browser. If you run any browser extensions please try disabling them and trying again before reporting the issue (include the extension that caused a problem).

I'm a game owner trying to embed my game...

You can use the upload embed tool on your game’s dashboard. Please do not use the direct link for our CDN. That is not allowed, and this sitelock will now block that type of access. Thanks

(+3)

Wow, great update. Nearly all of my games at itch.io hijacked by browser game hosting sites. I wanted to add some site lock mechanism at first but probably it won't work correctly, plus it will block the legitimate players as well. Also its not big deal for my side, as long as my game is played I'm happy. My only concern was, my connection with the player is cut by some silly ad bloated thief site :) . Maybe player wants to make a bug report or write some comment, but can't reach me. 

I noticed I've been getting extra traffic on my itch.io game pages in these days. Mostly from external game hosting sites. So auto site lock update works perfectly, nice work. 

Admin (1 edit) (+3)

That’s great news that you’re seeing new traffic! On the referrer analytics, look for a URL that looks like itch.io/embed-hotlink/ and that will tell you how many people are coming directly from the automated sitelock.

So... I try to play a Itch.io game on CrazyGames.com, my FAVRIOTE gaming website, which went not so good. It said I had to stop and go here to play, which i thought was DUMB. I always go on CrazyGames.com a lot. And I mean a LOT. So much that I never want to change webs. Why not let 2 sites (CrazyGames.com+Itch.io) play their games instead of 1? It will give CrazyGames.com more fun stuff! It will also make me happy!

really.

Hey !

One of my game for a gamejam doesn't work anymore, and a link leads here so...

Can you help me ? I already look a little bit stupid on streams showing your hotlink issue... 🥺

At least it was not a stream for the gamejam results... 😀

https://d-deschamps-magnetiques.itch.io/msh2019-simulator-2020

Hey! I got it!

It must be because the game loads itself in an iframe at the end!

Actually my game jam entry is an adaptation of the game jam entries themselves and you can play my game in my game. And yes, I must confess that it's silly.

But when you check that the game is not hotlinked, do you look at the domain ? Or a game loaded from an iframe is considered an hotlinked one ?

Thanks !

Admin

If you’re embedding your own game, then I recommend using the official game embed support detailed here: https://itch.io/updates/introducing-game-embeds

For embedding other games, I’m not sure I have a solution for that right now. Are you doing that?

No, I only embed mine. The other ones were only videos.

Thanks a lot. I will follow your link.

(1 edit)

We removed all itch.io games from Y8.com and several other websites. Although we do the same thing, I have been arguing against it because it means less players for developers and less links for sites that distribute content. It's a lose, lose for everyone in my opinion. For game developers that want the biggest player reach, I suggest gamedistribution.com instead of itch.io.

Admin (6 edits) (+1)

Edit I misread the original post and replied incorrectly assuming they were associated with Y8 games. I clarified below. Sorry about that to anyone reading.

View original post...

I believe you removed them all because:

  • you no longer make ad revenue off our stealing our bandwidth
  • showing a page that tells the user that you are stealing from us is embarrassing

We have an authorized way for developers to create iframe embeds for their games, but what you did was steal without the permission of developers.

I doubt that you feel any sort of remorse about this, as I’m sure there are many other domains on your platform you’re hotlinking without permission that you have no intention of removing. You steal until you’re caught, rinse & repeat, all while showing as many ads as possible to extract as much money as possible.

(2 edits)

I'm just a developer. I've been making games for nearly 20 years, so I don't get emotional about business. It was commonplace to freely distribute Flash games. As a developer, you should intentionally make games that will be picked up by other sites, more players and more money. If someone wants to "steal" my games and iframe them on their site. Please do so, I would be very thankful. The increase in players offsets any tiny bandwidth cost.

Maybe itch can not monetize games that are iframed? I don't work there, so I can't offer much advice. Sounds like a technical problem with the business model. Blocking distribution is causing losses for both itch and the developers that use it.

We do allow links and advertisements inside games. Blocking distribution only gives short term value and eventually results in publishers removing those games. If there is no value for the publishers to publish games, there is little reason to maintain those links to itch and the developers that use this site. Like I said before, we made the same mistake, so I'm speaking from experience, not just self interest.

I added my game, so now technically itch is hotlinking Y8. 🤣 https://eddieone.itch.io/banjo-panda Thank you

Admin (2 edits) (+1)

Don’t purposefully break our terms or the terms of other platforms, even if you’re making a joke, or we’ll have to suspend your page. Thanks

Admin (7 edits) (+2)

I’m sorry, I completely misread your post. I thought you were someone associated with Y8 since your account was just created and didn’t have any games on it. If they are your games we give you a tool to add iframe embeds on other sites, check it out here: https://itch.io/updates/introducing-game-embeds

Really sorry about the confusion, I’ll edit my original post to clarify.

As a developer, you should intentionally make games that will be picked up by other sites, more players and more money

It depends on what kind of developer you are and what your goals are. This is not true for everyone. In fact, it’s not true for the vast majority of people who upload html5 games to itch.io. Additionally, we took issue with the hotlinking specifically. These other portals could take the games and host them themselves, but they took the laziest approach possible.

Blocking distribution only gives short term value and eventually results in publishers removing those games

I’m not sure what you mean by short term value here. But in any case, we don’t work with publishers who mass publish HTML5 games for portals. We are a self publishing platform for developers to use directly. We want developers to have control over where their property is published.

If a developer wants to build a game packed full of ads, and get it loaded into as many portals as possible that’s fine for them. But, that has to be a choice the developer makes. I hope you understand out stance. Thanks

Deleted 4 years ago
Deleted 2 years ago
Deleted 2 years ago

how did you do the iframe load method

its been a while lets talk on my mail or discord(if you have a discord)

mail:cypherpunks132@gmail.com

discord:cypherpunks#9424

or message me on skype

-cypherpunks

(+2)

You are not a 'developer' you are a plagiarist and a coward.  Don't try to hide behind the 'but i'm a developer too look at my EXPERIENCE' garbage.

Attribution is REQUIRED for anything linked to or used.  Your website(s) do the absolute bare minimum they can get away with because you know most indie devs will either not know or not care to file DMCA takedowns on every web portal that plagiarizes a hosted version of their game.

Web portals are trash and always have been malware-ridden stains on the internet.  Gamers use Steam, GoG, itch, and other distribution stores to play games instead.  If people want plagiarized spyware-encumbered "free" games, they realize that those have almost all moved to mobile (the new dumping ground unfortunately).

Speak for yourself and never presume to speak for other devs.  Plagiarism is one of the biggest problems still infesting the internet.

(3 edits) (+6)

The embeds also fail if you're using an addon like Smart Referer to (try to) your preserve privacy.

I'll try to file an issue and get itch.io & it's CDN properly added to the default whitelist.
@leafo, could you link me to an example of a legally/properly externally embeded itch.io game?
Also, can v6p9d9t4.ssl.hwcdn.net be safely harcoded? (or will a more generic exception be needed like *.ssl.hwcdn.net ?)

Meanwhile, to any other users like me, adding this exception did the trick:

SourceDestination
*.itch.io*
Admin (1 edit) (+2)

v6p9d9t4.ssl.hwcdn.net is the domain for our HTML5 CDN, ssl.hwcdn.net is too broad so it should be avoided. We plan to migrate HTML5 games to to *.itch.zone at some point, but we’ve held off for quite some time now because of potential issues, but you can also add it for future proofing.

Here’s a page with an itch.io embed on a different domain: https://leafo.net/itchio_embed.html

(+2)

How about disabling sitelock when there's an empty referrer (means the player uses whatever privacy extension)?

Admin moved this topic to Ideas & Feedback
(+1)

Could you please add a check if the supposed deeplink comes from the game's itch.io page? (I sometimes use "show only this frame" on games that do not seem to play nice with full-screen)

Deleted 2 years ago
Admin (2 edits) (+1)

It sounds like you’re using some kind of browser extension that is changing how your browser works and is preventing our code from detecting what site the game is being loaded on. I recommend whitelisting our domains. You should let your browser send ancestorOrigins or referrer to the iframe hosted by us. Once you figure it out, if you can tell us what extension/option was blocking games from loading we can look into adding a workaround for it, or provide instructions directly on the page.

Regarding the amp page, we had an issue where we believed the code and page we created was getting blocked by some networks’ firewalls, so we used the amp cache as a quick way to load the page through an alternate URL. There is no personally identifiable information on this page. I’m sorry you don’t trust amp, but we’re unlikely to change it. If you update your extension settings then you should never see that page as long as you’re loading games from itch.io. Thanks

Deleted 2 years ago
Admin(+2)

I don’t understand how you jumped to the conclusion about us not trusting our users. We added the sitelock to prevent random sketchy game sites from ripping us and our developers off. If it’s not working for you when viewing a game on itch.io, then you’re right, it’s broken.

I suggested testing what extension is causing the issue so we can identify why it’s blocking it and implement a fix to allow you and others to play games on site. The only third-party javascript we load on a project page is going to be google analytics, but you can continue to block that if you’re concerned.

Thanks

Deleted 2 years ago
Admin (1 edit) (+1)

But origins are not since they are part of security policies and checking for modern browsers. We attempt to read the ancestor origins of the frame, and only read the referrer as a fallback for older browsers.

Deleted 2 years ago

This feature just decreases games visibility, even hotlinked games drive attention to the game and benefit to itch.io SEO. Restricting it will both drop Itch.io SEO and amount of gameplays games receive. 

It's actually worse if games are downloaded and rehosted IMHO. At least for similar reasons image hosting websites do not protect images from hotlinking.

Admin(+3)

That’s not how SEO works. Additionally, we have an official way for developers to generate a URL to embed their game on other websites if they want to distribute their game elsewhere. Thanks

Hi, I linked my itch.io game onto my portfolio website and it was flagged as having been stolen. It's my own game on my own website. If you could rectify this, it would be much appreciated.

Admin(+3)

Hello,

If you go to your game’s edit page, the go to the Distribute tab you can find a tool to create embed code for your game itself. Use that instead of trying to pull our CDN link directly out of the source of your page, we don’t allow that. Tell me if you have any issues. Thanks

This feature broke my submission for a gamejam.

The magazine that endorse the gamejam make a review of all games but mine as it was f*cked up on itch.io.

Well... Actually it's to late to change anything and it's funny – in a very special way – to be the only one with a broken submission.

But well... That joke is not worth the maybe 30 hours I spent on this gamejam.

All I can hope, as I work in software development, is that you could have some more experience after «that disaster» (that the way I refer to it when I think about it) to avoid unexpected behaviours.

Thanks.

Admin

Hey, I’m not sure why you’re posting again on the bottom. I gave you instructions how to use a game embed URL from itch.io to embed your game on another domain further up in the topic though. Are you unable to use it? Did it not work?

Well, it's hard to explain but my submission use iframes with itself in it (the app load the app which load the app in frames).

But itch seems to prevent iframes. Not only iframes from other domains.

That's the point.

I feel a little bit angry for a lot of reasons, not only after the sitelock update. The gamejam was planned for August 2019. It was then decided to add one more month. Then the magazine take two more months to set the winners and another month before announcing the winner (the next magazine printing. And the sitelock update comes in the middle of all those delays.

It's bad luck as if any of those steps did not happened, I would have not face any issue.

So yeah, there is a little bit of bitterness in all that stack of events, unfortunately for myself.

Is it your fault ? No, it's not your only fault. Is it the gamejam endorsers one ? No, it's not their only fault.

Is it mine ? Yeah, sure. I should have switch from web to downloadable content sooner than what I do.

But the sitelock update should  not have prevent a legitimate Itch.io hosted game to run on the Itch.io platform. That's what I tried to explain (not in my native language).

Admin(+1)

If you are the creator of the game then you can generate embed code from your project’s Distribute edit tab that you can safely use inside of your project. We only block direct CDN urls.

(1 edit)

Consider this a crash course on why 'hotlinking' is bad and why you should feel bad that as a 'game developer' you think it is ok to use that as standard practice.

There's a way to embed it properly or host it yourself as a fallback.  It isn't itch's job to permit hotlinks from their CDN for you or anyone else.

Also iframes within iframes within iframes is such a screwed-up system that you might be learning gamedev for browsers from some book made for Internet Explorer 6 back in 1999.  Time for you to learn HTML5 and the proper way to do game embeds from the itch platform.

This game isn't working

https://studio-black-flag.itch.io/click-of-cthulhu

it will like half load unity an then crashes saying im not using itch.io.

turn't off all my extentions

Admin(+1)

What browser are you using? I had no issues starting it up just now.

im using mozilla firefox. and lit only found this

Admin(+1)

I wasn’t able to reproduce it on my version of Firefox. Are you sure you disabled all extensions? You said it crashes, does it show anything else?

Try using 'Firefox Portable' from PortableApps or another website of your choice.  That'll isolate any system issues and should permit you to load up the game.

(+3)

I found the problem, it seems like if anyone has an extension that blocks referer or spoofs it. The HTML game will send it to the itch.io page about game being stolen or hotlink. More information here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

Admin

Can you share what extension is it? I’d like to try to identify them so I can either include instructions or code workaround.

(1 edit) (+2)

I use ematrix a copy of umatrix on pale moon browser. Inside the 3 dotted lines next to the power button you will then see the switch for "spoof referer header".

Deleted post
(+3)

Firefox has a built-in feature which allows you to open a frame only in a tab, i.e. cutting out the other website clutter. This triggers the sitelock thing, even if it was accessed from itch.io . Dunno how possible it would be to allow this while still stopping theft but it'd be very convenient.

Same issue here. Which becomes a problem when some games don't want to load otherwise.

How about letting devs decide whether they enable sitelock?

Admin (1 edit) (+1)

You can do this by using the game embed tool: https://itch.io/updates/introducing-game-embeds

(+1)

I don't understand: when a privacy-enhanced user checks a game's page (e.g. because they found it via itch.io search), they just get the sitelock warning indefinitely and confusingly. Are you saying gamedevs need to ensure users play the game from outside itch.io via an embed?

Just let us decide whether to enable it.

Admin (1 edit) (+2)

I think you’re talking about two separate things,

when a privacy-enhanced user checks a game’s page

If someone is seeing the sitelock on the itch.io page that’s a bug on our end. We’re looking into fixing it

Are you saying gamedevs need to ensure users play the game from outside itch.io via an embed

If someone wants to host their html5 game on another site, then they need to use the itch.io embed. We will no longer allow people to use our direct CDN links. It was abused too much. This is in line with how we do downloadable games as well: we don’t provide direct links to files, you must go through itch.io to download. This is important to help keep the platform alive by letting people discover itch.io. I hope you understand, thanks

(There are other advantages to using the itch.io embed code as well: we can make features like analytics and in-game APIs work seamlessly)

(+1)

Persistently getting hit with this on https://watabou.itch.io/toy-town (latest firefox, ublock origin, https everywhere, privacy badger) but other pages (like https://watabou.itch.io/medieval-fantasy-city-generator ) are working perfectly fine. Tried disabling extensions, same problem.

Admin(+1)

Can you share what your browser privacy settings are on firefox? Under the “Enhanced privacy protection.”

If possible, you can try adding https://watabou.itch.io/ and https://v6p9d9t4.ssl.hwcdn.net to the exceptions list to see if it makes any different.

I think long term we’re going to change our implementation to something that doesn’t rely on referrer data.

Thanks for testing

(+1)

hey! im playing a game in browser on itch.io but it keeps telling me ive stolen or hotlinked it?? i dont know whats going on! thanks!

The game is called Known Unknowns, and it's great!! But I'm definitely playing it on itch, using the in browser player! It's a delight of a game, and even though I'm finished with it, I'd rather other people not have to deal with this issue! Thanks!

I noted a weird link in my analytics, as source of traffic.
It started with itch.io/embed-hotlink/ and then a bunch of numbers.

Clicking it, I saw someone tried to steal/hotlink my "game" (which wasn't even really worth stealing.)
But I can not see which site tried to hotlink my game. 
Is there a way I can find this out?

Admin

If you see that link in your referrers then that means that our sitelock has redirect users from a site that tried to steal your game to your itch.io page.

We don’t record analytics for where the embeds are coming from, so we’re unable to tell you where the site was being embedded. Sorry

Oh bummer. Might be a great option if that is possible in the future.
Knowing someone tries to hijack your game is good, but knowing who it is would be even better.

Thanks for your reply anyway.

(3 edits) (+1)

Hi, I've just noticed that one of my browser game is no longer working when played from itch.io.

The HTML5 game simply no longer loads in the "frame" that contains it. And when I try to directly open the page inside this frame to play the game (using Firefox => open the content of this frame in a new tab feature), I got a hotlinking/stealing page that told me to post here.

So here I am! The game with the issue is this one:

https://drludos.itch.io/shootanoid

It's a standard HTML5 game embedded on itch.io (single html5 page), the game is made with the TIC-80 fantasy console.

Can you please fix it if possible?

Thanks a lot for your help!

I just tested it and the issue is still there for me :/

Viewing posts 1 to 20 of 43 · Next page · Last page