We removed all itch.io games from Y8.com and several other websites. Although we do the same thing, I have been arguing against it because it means less players for developers and less links for sites that distribute content. It's a lose, lose for everyone in my opinion. For game developers that want the biggest player reach, I suggest gamedistribution.com instead of itch.io.
Edit I misread the original post and replied incorrectly assuming they were associated with Y8 games. I clarified below. Sorry about that to anyone reading.
I believe you removed them all because:
We have an authorized way for developers to create iframe embeds for their games, but what you did was steal without the permission of developers.
I doubt that you feel any sort of remorse about this, as I’m sure there are many other domains on your platform you’re hotlinking without permission that you have no intention of removing. You steal until you’re caught, rinse & repeat, all while showing as many ads as possible to extract as much money as possible.
I'm just a developer. I've been making games for nearly 20 years, so I don't get emotional about business. It was commonplace to freely distribute Flash games. As a developer, you should intentionally make games that will be picked up by other sites, more players and more money. If someone wants to "steal" my games and iframe them on their site. Please do so, I would be very thankful. The increase in players offsets any tiny bandwidth cost.
Maybe itch can not monetize games that are iframed? I don't work there, so I can't offer much advice. Sounds like a technical problem with the business model. Blocking distribution is causing losses for both itch and the developers that use it.
We do allow links and advertisements inside games. Blocking distribution only gives short term value and eventually results in publishers removing those games. If there is no value for the publishers to publish games, there is little reason to maintain those links to itch and the developers that use this site. Like I said before, we made the same mistake, so I'm speaking from experience, not just self interest.
I added my game, so now technically itch is hotlinking Y8. 🤣 https://eddieone.itch.io/banjo-panda Thank you
I’m sorry, I completely misread your post. I thought you were someone associated with Y8 since your account was just created and didn’t have any games on it. If they are your games we give you a tool to add iframe embeds on other sites, check it out here: https://itch.io/updates/introducing-game-embeds
Really sorry about the confusion, I’ll edit my original post to clarify.
As a developer, you should intentionally make games that will be picked up by other sites, more players and more money
It depends on what kind of developer you are and what your goals are. This is not true for everyone. In fact, it’s not true for the vast majority of people who upload html5 games to itch.io. Additionally, we took issue with the hotlinking specifically. These other portals could take the games and host them themselves, but they took the laziest approach possible.
Blocking distribution only gives short term value and eventually results in publishers removing those games
I’m not sure what you mean by short term value here. But in any case, we don’t work with publishers who mass publish HTML5 games for portals. We are a self publishing platform for developers to use directly. We want developers to have control over where their property is published.
If a developer wants to build a game packed full of ads, and get it loaded into as many portals as possible that’s fine for them. But, that has to be a choice the developer makes. I hope you understand out stance. Thanks
You are not a 'developer' you are a plagiarist and a coward. Don't try to hide behind the 'but i'm a developer too look at my EXPERIENCE' garbage.
Attribution is REQUIRED for anything linked to or used. Your website(s) do the absolute bare minimum they can get away with because you know most indie devs will either not know or not care to file DMCA takedowns on every web portal that plagiarizes a hosted version of their game.
Web portals are trash and always have been malware-ridden stains on the internet. Gamers use Steam, GoG, itch, and other distribution stores to play games instead. If people want plagiarized spyware-encumbered "free" games, they realize that those have almost all moved to mobile (the new dumping ground unfortunately).
Speak for yourself and never presume to speak for other devs. Plagiarism is one of the biggest problems still infesting the internet.
The embeds also fail if you're using an addon like Smart Referer to (try to) your preserve privacy.
I'll try to file an issue and get itch.io & it's CDN properly added to the default whitelist.
@leafo, could you link me to an example of a legally/properly externally embeded itch.io game?
Also, can v6p9d9t4.ssl.hwcdn.net be safely harcoded? (or will a more generic exception be needed like *.ssl.hwcdn.net ?)
Meanwhile, to any other users like me, adding this exception did the trick:
| Source | Destination |
| *.itch.io | * |
v6p9d9t4.ssl.hwcdn.net is the domain for our HTML5 CDN, ssl.hwcdn.net is too broad so it should be avoided. We plan to migrate HTML5 games to to *.itch.zone at some point, but we’ve held off for quite some time now because of potential issues, but you can also add it for future proofing.
Here’s a page with an itch.io embed on a different domain: https://leafo.net/itchio_embed.html
It sounds like you’re using some kind of browser extension that is changing how your browser works and is preventing our code from detecting what site the game is being loaded on. I recommend whitelisting our domains. You should let your browser send ancestorOrigins or referrer to the iframe hosted by us. Once you figure it out, if you can tell us what extension/option was blocking games from loading we can look into adding a workaround for it, or provide instructions directly on the page.
Regarding the amp page, we had an issue where we believed the code and page we created was getting blocked by some networks’ firewalls, so we used the amp cache as a quick way to load the page through an alternate URL. There is no personally identifiable information on this page. I’m sorry you don’t trust amp, but we’re unlikely to change it. If you update your extension settings then you should never see that page as long as you’re loading games from itch.io. Thanks
I don’t understand how you jumped to the conclusion about us not trusting our users. We added the sitelock to prevent random sketchy game sites from ripping us and our developers off. If it’s not working for you when viewing a game on itch.io, then you’re right, it’s broken.
I suggested testing what extension is causing the issue so we can identify why it’s blocking it and implement a fix to allow you and others to play games on site. The only third-party javascript we load on a project page is going to be google analytics, but you can continue to block that if you’re concerned.
Thanks
This feature just decreases games visibility, even hotlinked games drive attention to the game and benefit to itch.io SEO. Restricting it will both drop Itch.io SEO and amount of gameplays games receive.
It's actually worse if games are downloaded and rehosted IMHO. At least for similar reasons image hosting websites do not protect images from hotlinking.
This feature broke my submission for a gamejam.
The magazine that endorse the gamejam make a review of all games but mine as it was f*cked up on itch.io.
Well... Actually it's to late to change anything and it's funny – in a very special way – to be the only one with a broken submission.
But well... That joke is not worth the maybe 30 hours I spent on this gamejam.
All I can hope, as I work in software development, is that you could have some more experience after «that disaster» (that the way I refer to it when I think about it) to avoid unexpected behaviours.
Thanks.
Well, it's hard to explain but my submission use iframes with itself in it (the app load the app which load the app in frames).
But itch seems to prevent iframes. Not only iframes from other domains.
That's the point.
I feel a little bit angry for a lot of reasons, not only after the sitelock update. The gamejam was planned for August 2019. It was then decided to add one more month. Then the magazine take two more months to set the winners and another month before announcing the winner (the next magazine printing. And the sitelock update comes in the middle of all those delays.
It's bad luck as if any of those steps did not happened, I would have not face any issue.
So yeah, there is a little bit of bitterness in all that stack of events, unfortunately for myself.
Is it your fault ? No, it's not your only fault. Is it the gamejam endorsers one ? No, it's not their only fault.
Is it mine ? Yeah, sure. I should have switch from web to downloadable content sooner than what I do.
But the sitelock update should not have prevent a legitimate Itch.io hosted game to run on the Itch.io platform. That's what I tried to explain (not in my native language).
Consider this a crash course on why 'hotlinking' is bad and why you should feel bad that as a 'game developer' you think it is ok to use that as standard practice.
There's a way to embed it properly or host it yourself as a fallback. It isn't itch's job to permit hotlinks from their CDN for you or anyone else.
Also iframes within iframes within iframes is such a screwed-up system that you might be learning gamedev for browsers from some book made for Internet Explorer 6 back in 1999. Time for you to learn HTML5 and the proper way to do game embeds from the itch platform.
This game isn't working
https://studio-black-flag.itch.io/click-of-cthulhu
it will like half load unity an then crashes saying im not using itch.io.
turn't off all my extentions
I found the problem, it seems like if anyone has an extension that blocks referer or spoofs it. The HTML game will send it to the itch.io page about game being stolen or hotlink. More information here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
You can do this by using the game embed tool: https://itch.io/updates/introducing-game-embeds
I don't understand: when a privacy-enhanced user checks a game's page (e.g. because they found it via itch.io search), they just get the sitelock warning indefinitely and confusingly. Are you saying gamedevs need to ensure users play the game from outside itch.io via an embed?
Just let us decide whether to enable it.
I think you’re talking about two separate things,
when a privacy-enhanced user checks a game’s page
If someone is seeing the sitelock on the itch.io page that’s a bug on our end. We’re looking into fixing it
Are you saying gamedevs need to ensure users play the game from outside itch.io via an embed
If someone wants to host their html5 game on another site, then they need to use the itch.io embed. We will no longer allow people to use our direct CDN links. It was abused too much. This is in line with how we do downloadable games as well: we don’t provide direct links to files, you must go through itch.io to download. This is important to help keep the platform alive by letting people discover itch.io. I hope you understand, thanks
(There are other advantages to using the itch.io embed code as well: we can make features like analytics and in-game APIs work seamlessly)
Persistently getting hit with this on https://watabou.itch.io/toy-town (latest firefox, ublock origin, https everywhere, privacy badger) but other pages (like https://watabou.itch.io/medieval-fantasy-city-generator ) are working perfectly fine. Tried disabling extensions, same problem.
Can you share what your browser privacy settings are on firefox? Under the “Enhanced privacy protection.”
If possible, you can try adding https://watabou.itch.io/ and https://v6p9d9t4.ssl.hwcdn.net to the exceptions list to see if it makes any different.
I think long term we’re going to change our implementation to something that doesn’t rely on referrer data.
Thanks for testing
I noted a weird link in my analytics, as source of traffic.
It started with itch.io/embed-hotlink/ and then a bunch of numbers.
Clicking it, I saw someone tried to steal/hotlink my "game" (which wasn't even really worth stealing.)
But I can not see which site tried to hotlink my game.
Is there a way I can find this out?
Hi, I've just noticed that one of my browser game is no longer working when played from itch.io.
The HTML5 game simply no longer loads in the "frame" that contains it. And when I try to directly open the page inside this frame to play the game (using Firefox => open the content of this frame in a new tab feature), I got a hotlinking/stealing page that told me to post here.
So here I am! The game with the issue is this one:
https://drludos.itch.io/shootanoid
It's a standard HTML5 game embedded on itch.io (single html5 page), the game is made with the TIC-80 fantasy console.
Can you please fix it if possible?
Thanks a lot for your help!
So why don’t you guys just add a “embed external game URL” for HTML5
We want people to upload their games directly to our platform and not use the “External link” feature. External links can break and tend to provide a poor user experience. (They break our apps ability to auto-update, we can’t track when files are changed, people provide links to things that aren’t direct files, it’s hard for us to verify that links are still correct and work, etc.) We will be deprecating external links for downloadable games in the future.
I’m not going to update itch every time my game is updated
Just like downloadable games, if you want to update your game you should upload a new build. Depending on how technical you are, you can automate this using a CI provider and butler.
also the lock makes the referal broken
Can you explain? The sitelock code does not change how games have been embedded, it’s a script that runs after the game is loaded that checks where the the iframe is located.
I understand and respect the decision, just note that it does come at the cost of risking to have outdated games because of the upload process.
About the referal, I mean that the google analitics referal list shows "someID.ssl.hwcdn.net" instead of the usual itch.io link. Not a big deal, and I think it's not hard to fix.
https://squidsquadgames.itch.io/tanuki-sunset
Free game, same issue, 160 days later :/
Is there any fix yet? I periodically stumble on this kind of issue.
Could you please fix that?
Hello! My site is game-game.com.ua. And when you open your game on it, I get this answer: http://www.game-game.com.ua/183501/
I bought it and I'm loading it from https://quasiotter.itch.io/no-secrets but it says I can't load it. I'm using FireFox on Linux.
https://ejadelomax.itch.io/sortinghatchats isn't working while on itch.io itself.
Hey I think this is what is causing my issue (https://github.com/itchio/itch.io/issues/1083) with flicksy (https://candle.itch.io/flicksy), which relies on being able to fetch its own javascript source code. I'm not trying to access it from outside of itch at all, but the javascript code seems to end up on a different origin to the page that's actually running it when you launch it from the itch page. Is there a way to disable this?
I tripped over this because my code assumed that the only script tags in the page were my own--I have an issue (https://github.com/itchio/itch.io/issues/1083) where I described how I'm working around this now, but it would be good to have a less hard-coded way to do this.
Hi,
I'm having trouble running any of the web-based games.
An example is
https://damonwakes.itch.io/draw-nine
I've seen people mentioning the Referer: header so I captured it with the network tab of the developer tools:
Referer: https://itch.io/bundle/download/<possibly sensitive bit>?page=53
... which looks intact.
Thanks,
Tim
Edit: using Firefox on Windows.
In this case, the referrer will not matter. It’s possible you’re using some privacy extension or browser setting that is preventing the browser from operating normally? You may want to try temporarily disabling those things to see if it makes any difference. An alternative approach, you could try running the HTML5 games in our app, as it will let you download a local copy of an HTML5 game.
Hope that helps
Thanks for the reply leafo.
Yes, I'm using umatrix in the browser and privoxy in the router, but I'd already tried bypassing both those.
I'm not really an 'app' sort of chap, so in the end I've installed a different browser on a USB stick for use with itch, and games are running OK on that. It's like using a dedicated app, but with more buttons & switches exposed. You can never have too many buttons and switches!
Cheers,
Tim
https://jamie-rollo.itch.io/gamut-maker ... this is hitting issues. I'm not the developer, but the customer. Am very much about privacy, so won't be turning off add-ons. Can't believe how broken itch.io is suddenly, especially when have paid for things, and devs need to have games easily seen and accessible. Terrifying to click through into my Library, then onto a purchase, and to see 'you're not on itch.io' plus a huge red square. Was it specially designed to look hacked and worry people? Seems so, as the relevant notice is in smaller print, and actually took a while to see. I'll need to not use itch.io anymore, but will support devs who direct me to a secure link/site where I can support them/make a purchase.
Nevermind, I just realized it's because HTML5 games need to be downloaded and installed locally to play it through the app. It seems that my music mp3 assets are exposed. Is there anyway to obfuscate that? (Or is there something I need to do outside of itch.io prior to building my files?) Because I spent a lot of time composing and producing those soundtracks. Would be sad to see them get stolen and used elsewhere.
Hi everyone! I'm a bit of an idiot regarding this sitelocking mechanism so here are a few questions:
- Is there a procedure to perform to protect one's html5 game or does the autolock actually run automatically?
- My game (dracunite for the lowrezjam) has been stolen by a bunch of sites... So... I was assuming that if the autolock is working automatically... It no longer is or these sites found a workaround it. Is there anything I can about it?
thanks for any help!
And the culprits I found on the first page of a google search...
https://arcadespot.com/game/dracunite/
https://kbhgames.com/game/dracunite
An older version of my game has been stolen by some of the same culprits you list. But then I discovered sitelocking and it's been fine since then.
To my understanding, you just have to check what domain your game is hosted on. I don't know what framework you're using, but in Game Maker Studio 2, what I do is first grab the domain using
domain = url_get_domain();
if ( domain == "v6p9d9t4.ssl.hwcdn.net" || domain == "uploads.ungrounded.net" || domain == "b-cdn.gamejolt.net" ) {
legit = true;
}
Then I ask the game to run if "legit == true", otherwise, display a UI that shows my game's logo, URL and an explanation that you can play it on itch.io. "v6p9d9t4.ssl.hwcdn.net" is the domain to check for for itch.io.
Hope that helps.
Hi, I've been trying to make my game accessible via source code but am getting this error:
"You're seeing this because the site you loaded the game on tried to steal or hotlink it from itch.io. Play the original game safely & securely on itch.io."
The game is on itch though, and I am the owner.
Is it possible to resolve this please so that the game can be included in other collections via source code?
Here's the game/link that brings up that notification ^ https://itch.io/embed-hotlink/2046604
Hi, I'm getting the sitelock issue on https://impbox.itch.io/encumbered (among several others), using Firefox Nightly. This issue even persists after turning off all privacy extensions and disabling Enhanced Tracking Protection for that page.
EDIT: The solution was to turn off network.http.referer.spoofSource in about:config, but that is not a long-term solution to the problem.
I tried playing a Dr. Ludos game & it brought me here https://itch.io/embed-hotlink/1005038
I completed https://rbatistadelima.itch.io/out-there and it did a thing and then I got the site lock notification
Hello! I saw this for the first time today. For months I’ve got used to open the iframe in a new time to avoid javascript sandboxing errors (indirect call to null and others) that prevented many games from loading. It could be firefox third-party tracking protection and/or privacy plugins that cause this. It was fine to get these errors when the workaround worked, now I’m not sure what to do.