Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics

Sitelock Update

A topic by leafo created Nov 23, 2019 Views: 16,975 Replies: 92
Viewing posts 1 to 43
Admin (1 edit) (+6)


We’ve recently pushed out an update to all HTML5 games that adds a JavaScript based sitelock. If it detects a game from’s CDN is being loaded from a URL it will show a warning and provide a link to the page.

There are over 100k HTML5 games extracted to HTML on our servers. Although we tested as best we could, there’s still the potential that things break.

If you’re having an issue with the sitelock then please leave a reply here describing what’s happening, and include information about your setup/browser. If you run any browser extensions please try disabling them and trying again before reporting the issue (include the extension that caused a problem).

I'm a game owner trying to embed my game...

You can use the upload embed tool on your game’s dashboard. Please do not use the direct link for our CDN. That is not allowed, and this sitelock will now block that type of access. Thanks


Wow, great update. Nearly all of my games at hijacked by browser game hosting sites. I wanted to add some site lock mechanism at first but probably it won't work correctly, plus it will block the legitimate players as well. Also its not big deal for my side, as long as my game is played I'm happy. My only concern was, my connection with the player is cut by some silly ad bloated thief site :) . Maybe player wants to make a bug report or write some comment, but can't reach me. 

I noticed I've been getting extra traffic on my game pages in these days. Mostly from external game hosting sites. So auto site lock update works perfectly, nice work. 

Admin (1 edit) (+3)

That’s great news that you’re seeing new traffic! On the referrer analytics, look for a URL that looks like and that will tell you how many people are coming directly from the automated sitelock.

So... I try to play a game on, my FAVRIOTE gaming website, which went not so good. It said I had to stop and go here to play, which i thought was DUMB. I always go on a lot. And I mean a LOT. So much that I never want to change webs. Why not let 2 sites ( play their games instead of 1? It will give more fun stuff! It will also make me happy!


Hey !

One of my game for a gamejam doesn't work anymore, and a link leads here so...

Can you help me ? I already look a little bit stupid on streams showing your hotlink issue... 🥺

At least it was not a stream for the gamejam results... 😀

Hey! I got it!

It must be because the game loads itself in an iframe at the end!

Actually my game jam entry is an adaptation of the game jam entries themselves and you can play my game in my game. And yes, I must confess that it's silly.

But when you check that the game is not hotlinked, do you look at the domain ? Or a game loaded from an iframe is considered an hotlinked one ?

Thanks !


If you’re embedding your own game, then I recommend using the official game embed support detailed here:

For embedding other games, I’m not sure I have a solution for that right now. Are you doing that?

No, I only embed mine. The other ones were only videos.

Thanks a lot. I will follow your link.

(1 edit)

We removed all games from and several other websites. Although we do the same thing, I have been arguing against it because it means less players for developers and less links for sites that distribute content. It's a lose, lose for everyone in my opinion. For game developers that want the biggest player reach, I suggest instead of

Admin (6 edits) (+1)

Edit I misread the original post and replied incorrectly assuming they were associated with Y8 games. I clarified below. Sorry about that to anyone reading.

View original post...

I believe you removed them all because:

  • you no longer make ad revenue off our stealing our bandwidth
  • showing a page that tells the user that you are stealing from us is embarrassing

We have an authorized way for developers to create iframe embeds for their games, but what you did was steal without the permission of developers.

I doubt that you feel any sort of remorse about this, as I’m sure there are many other domains on your platform you’re hotlinking without permission that you have no intention of removing. You steal until you’re caught, rinse & repeat, all while showing as many ads as possible to extract as much money as possible.

(2 edits)

I'm just a developer. I've been making games for nearly 20 years, so I don't get emotional about business. It was commonplace to freely distribute Flash games. As a developer, you should intentionally make games that will be picked up by other sites, more players and more money. If someone wants to "steal" my games and iframe them on their site. Please do so, I would be very thankful. The increase in players offsets any tiny bandwidth cost.

Maybe itch can not monetize games that are iframed? I don't work there, so I can't offer much advice. Sounds like a technical problem with the business model. Blocking distribution is causing losses for both itch and the developers that use it.

We do allow links and advertisements inside games. Blocking distribution only gives short term value and eventually results in publishers removing those games. If there is no value for the publishers to publish games, there is little reason to maintain those links to itch and the developers that use this site. Like I said before, we made the same mistake, so I'm speaking from experience, not just self interest.

I added my game, so now technically itch is hotlinking Y8. 🤣 Thank you

Admin (2 edits) (+1)

Don’t purposefully break our terms or the terms of other platforms, even if you’re making a joke, or we’ll have to suspend your page. Thanks

Admin (7 edits) (+2)

I’m sorry, I completely misread your post. I thought you were someone associated with Y8 since your account was just created and didn’t have any games on it. If they are your games we give you a tool to add iframe embeds on other sites, check it out here:

Really sorry about the confusion, I’ll edit my original post to clarify.

As a developer, you should intentionally make games that will be picked up by other sites, more players and more money

It depends on what kind of developer you are and what your goals are. This is not true for everyone. In fact, it’s not true for the vast majority of people who upload html5 games to Additionally, we took issue with the hotlinking specifically. These other portals could take the games and host them themselves, but they took the laziest approach possible.

Blocking distribution only gives short term value and eventually results in publishers removing those games

I’m not sure what you mean by short term value here. But in any case, we don’t work with publishers who mass publish HTML5 games for portals. We are a self publishing platform for developers to use directly. We want developers to have control over where their property is published.

If a developer wants to build a game packed full of ads, and get it loaded into as many portals as possible that’s fine for them. But, that has to be a choice the developer makes. I hope you understand out stance. Thanks

Deleted 4 years ago
Deleted 3 years ago
Deleted 3 years ago

how did you do the iframe load method

its been a while lets talk on my mail or discord(if you have a discord)


or message me on skype



You are not a 'developer' you are a plagiarist and a coward.  Don't try to hide behind the 'but i'm a developer too look at my EXPERIENCE' garbage.

Attribution is REQUIRED for anything linked to or used.  Your website(s) do the absolute bare minimum they can get away with because you know most indie devs will either not know or not care to file DMCA takedowns on every web portal that plagiarizes a hosted version of their game.

Web portals are trash and always have been malware-ridden stains on the internet.  Gamers use Steam, GoG, itch, and other distribution stores to play games instead.  If people want plagiarized spyware-encumbered "free" games, they realize that those have almost all moved to mobile (the new dumping ground unfortunately).

Speak for yourself and never presume to speak for other devs.  Plagiarism is one of the biggest problems still infesting the internet.

(3 edits) (+6)

The embeds also fail if you're using an addon like Smart Referer to (try to) your preserve privacy.

I'll try to file an issue and get & it's CDN properly added to the default whitelist.
@leafo, could you link me to an example of a legally/properly externally embeded game?
Also, can be safely harcoded? (or will a more generic exception be needed like * ?)

Meanwhile, to any other users like me, adding this exception did the trick:

Admin (1 edit) (+2) is the domain for our HTML5 CDN, is too broad so it should be avoided. We plan to migrate HTML5 games to to * at some point, but we’ve held off for quite some time now because of potential issues, but you can also add it for future proofing.

Here’s a page with an embed on a different domain:


How about disabling sitelock when there's an empty referrer (means the player uses whatever privacy extension)?

Admin moved this topic to Ideas & Feedback

Could you please add a check if the supposed deeplink comes from the game's page? (I sometimes use "show only this frame" on games that do not seem to play nice with full-screen)

Deleted 2 years ago
Admin (2 edits) (+1)

It sounds like you’re using some kind of browser extension that is changing how your browser works and is preventing our code from detecting what site the game is being loaded on. I recommend whitelisting our domains. You should let your browser send ancestorOrigins or referrer to the iframe hosted by us. Once you figure it out, if you can tell us what extension/option was blocking games from loading we can look into adding a workaround for it, or provide instructions directly on the page.

Regarding the amp page, we had an issue where we believed the code and page we created was getting blocked by some networks’ firewalls, so we used the amp cache as a quick way to load the page through an alternate URL. There is no personally identifiable information on this page. I’m sorry you don’t trust amp, but we’re unlikely to change it. If you update your extension settings then you should never see that page as long as you’re loading games from Thanks

Deleted 2 years ago

I don’t understand how you jumped to the conclusion about us not trusting our users. We added the sitelock to prevent random sketchy game sites from ripping us and our developers off. If it’s not working for you when viewing a game on, then you’re right, it’s broken.

I suggested testing what extension is causing the issue so we can identify why it’s blocking it and implement a fix to allow you and others to play games on site. The only third-party javascript we load on a project page is going to be google analytics, but you can continue to block that if you’re concerned.


Deleted 2 years ago
Admin (1 edit) (+1)

But origins are not since they are part of security policies and checking for modern browsers. We attempt to read the ancestor origins of the frame, and only read the referrer as a fallback for older browsers.

Deleted 2 years ago

This feature just decreases games visibility, even hotlinked games drive attention to the game and benefit to SEO. Restricting it will both drop SEO and amount of gameplays games receive. 

It's actually worse if games are downloaded and rehosted IMHO. At least for similar reasons image hosting websites do not protect images from hotlinking.


That’s not how SEO works. Additionally, we have an official way for developers to generate a URL to embed their game on other websites if they want to distribute their game elsewhere. Thanks

Hi, I linked my game onto my portfolio website and it was flagged as having been stolen. It's my own game on my own website. If you could rectify this, it would be much appreciated.



If you go to your game’s edit page, the go to the Distribute tab you can find a tool to create embed code for your game itself. Use that instead of trying to pull our CDN link directly out of the source of your page, we don’t allow that. Tell me if you have any issues. Thanks

This feature broke my submission for a gamejam.

The magazine that endorse the gamejam make a review of all games but mine as it was f*cked up on

Well... Actually it's to late to change anything and it's funny – in a very special way – to be the only one with a broken submission.

But well... That joke is not worth the maybe 30 hours I spent on this gamejam.

All I can hope, as I work in software development, is that you could have some more experience after «that disaster» (that the way I refer to it when I think about it) to avoid unexpected behaviours.



Hey, I’m not sure why you’re posting again on the bottom. I gave you instructions how to use a game embed URL from to embed your game on another domain further up in the topic though. Are you unable to use it? Did it not work?

Well, it's hard to explain but my submission use iframes with itself in it (the app load the app which load the app in frames).

But itch seems to prevent iframes. Not only iframes from other domains.

That's the point.

I feel a little bit angry for a lot of reasons, not only after the sitelock update. The gamejam was planned for August 2019. It was then decided to add one more month. Then the magazine take two more months to set the winners and another month before announcing the winner (the next magazine printing. And the sitelock update comes in the middle of all those delays.

It's bad luck as if any of those steps did not happened, I would have not face any issue.

So yeah, there is a little bit of bitterness in all that stack of events, unfortunately for myself.

Is it your fault ? No, it's not your only fault. Is it the gamejam endorsers one ? No, it's not their only fault.

Is it mine ? Yeah, sure. I should have switch from web to downloadable content sooner than what I do.

But the sitelock update should  not have prevent a legitimate hosted game to run on the platform. That's what I tried to explain (not in my native language).


If you are the creator of the game then you can generate embed code from your project’s Distribute edit tab that you can safely use inside of your project. We only block direct CDN urls.

(1 edit)

Consider this a crash course on why 'hotlinking' is bad and why you should feel bad that as a 'game developer' you think it is ok to use that as standard practice.

There's a way to embed it properly or host it yourself as a fallback.  It isn't itch's job to permit hotlinks from their CDN for you or anyone else.

Also iframes within iframes within iframes is such a screwed-up system that you might be learning gamedev for browsers from some book made for Internet Explorer 6 back in 1999.  Time for you to learn HTML5 and the proper way to do game embeds from the itch platform.

This game isn't working

it will like half load unity an then crashes saying im not using

turn't off all my extentions


What browser are you using? I had no issues starting it up just now.

im using mozilla firefox. and lit only found this


I wasn’t able to reproduce it on my version of Firefox. Are you sure you disabled all extensions? You said it crashes, does it show anything else?

Try using 'Firefox Portable' from PortableApps or another website of your choice.  That'll isolate any system issues and should permit you to load up the game.


I found the problem, it seems like if anyone has an extension that blocks referer or spoofs it. The HTML game will send it to the page about game being stolen or hotlink. More information here:


Can you share what extension is it? I’d like to try to identify them so I can either include instructions or code workaround.

(1 edit) (+2)

I use ematrix a copy of umatrix on pale moon browser. Inside the 3 dotted lines next to the power button you will then see the switch for "spoof referer header".

Deleted post

Firefox has a built-in feature which allows you to open a frame only in a tab, i.e. cutting out the other website clutter. This triggers the sitelock thing, even if it was accessed from . Dunno how possible it would be to allow this while still stopping theft but it'd be very convenient.

Same issue here. Which becomes a problem when some games don't want to load otherwise.

How about letting devs decide whether they enable sitelock?

Admin (1 edit) (+1)

You can do this by using the game embed tool:


I don't understand: when a privacy-enhanced user checks a game's page (e.g. because they found it via search), they just get the sitelock warning indefinitely and confusingly. Are you saying gamedevs need to ensure users play the game from outside via an embed?

Just let us decide whether to enable it.

Admin (1 edit) (+2)

I think you’re talking about two separate things,

when a privacy-enhanced user checks a game’s page

If someone is seeing the sitelock on the page that’s a bug on our end. We’re looking into fixing it

Are you saying gamedevs need to ensure users play the game from outside via an embed

If someone wants to host their html5 game on another site, then they need to use the embed. We will no longer allow people to use our direct CDN links. It was abused too much. This is in line with how we do downloadable games as well: we don’t provide direct links to files, you must go through to download. This is important to help keep the platform alive by letting people discover I hope you understand, thanks

(There are other advantages to using the embed code as well: we can make features like analytics and in-game APIs work seamlessly)


Persistently getting hit with this on (latest firefox, ublock origin, https everywhere, privacy badger) but other pages (like ) are working perfectly fine. Tried disabling extensions, same problem.


Can you share what your browser privacy settings are on firefox? Under the “Enhanced privacy protection.”

If possible, you can try adding and to the exceptions list to see if it makes any different.

I think long term we’re going to change our implementation to something that doesn’t rely on referrer data.

Thanks for testing


hey! im playing a game in browser on but it keeps telling me ive stolen or hotlinked it?? i dont know whats going on! thanks!

The game is called Known Unknowns, and it's great!! But I'm definitely playing it on itch, using the in browser player! It's a delight of a game, and even though I'm finished with it, I'd rather other people not have to deal with this issue! Thanks!

I noted a weird link in my analytics, as source of traffic.
It started with and then a bunch of numbers.

Clicking it, I saw someone tried to steal/hotlink my "game" (which wasn't even really worth stealing.)
But I can not see which site tried to hotlink my game. 
Is there a way I can find this out?


If you see that link in your referrers then that means that our sitelock has redirect users from a site that tried to steal your game to your page.

We don’t record analytics for where the embeds are coming from, so we’re unable to tell you where the site was being embedded. Sorry

Oh bummer. Might be a great option if that is possible in the future.
Knowing someone tries to hijack your game is good, but knowing who it is would be even better.

Thanks for your reply anyway.

(3 edits) (+1)

Hi, I've just noticed that one of my browser game is no longer working when played from

The HTML5 game simply no longer loads in the "frame" that contains it. And when I try to directly open the page inside this frame to play the game (using Firefox => open the content of this frame in a new tab feature), I got a hotlinking/stealing page that told me to post here.

So here I am! The game with the issue is this one:

It's a standard HTML5 game embedded on (single html5 page), the game is made with the TIC-80 fantasy console.

Can you please fix it if possible?

Thanks a lot for your help!

I just tested it and the issue is still there for me :/

I'm not going to update itch every time my game is updated, also the lock makes the referal broken. 

So why don't you guys just add a "embed external game URL" for HTML5 games next to the zip/html file upload and make it easier for everyone?

Admin (1 edit) (+1)

So why don’t you guys just add a “embed external game URL” for HTML5

We want people to upload their games directly to our platform and not use the “External link” feature. External links can break and tend to provide a poor user experience. (They break our apps ability to auto-update, we can’t track when files are changed, people provide links to things that aren’t direct files, it’s hard for us to verify that links are still correct and work, etc.) We will be deprecating external links for downloadable games in the future.

I’m not going to update itch every time my game is updated

Just like downloadable games, if you want to update your game you should upload a new build. Depending on how technical you are, you can automate this using a CI provider and butler.

also the lock makes the referal broken

Can you explain? The sitelock code does not change how games have been embedded, it’s a script that runs after the game is loaded that checks where the the iframe is located.

I understand and respect the decision, just note that it does come at the cost of risking to have outdated games because of the upload process. 

About the referal, I mean that the google analitics referal list shows "" instead of the usual link. Not a big deal, and I think it's not hard to fix.

Free game, same issue, 160 days later :/

Is there any fix yet? I periodically stumble on this kind of issue.

Could you please fix that?

Hello! My site is And when you open your game on it, I get this answer:

I bought it and I'm loading it from but it says I can't load it. I'm using FireFox on Linux. isn't working while on itself.


What browser/extensions are you using? I don’t see any issues testing on Chrome with no extensions

Oh, nevermind, I got it to work by turning off Smart Referer! Thanks for reminding me to check what addons I had, I hadn't thought any of them would mess with it like this.

(1 edit)

Hey I think this is what is causing my issue ( with flicksy (, which relies on being able to fetch its own javascript source code. I'm not trying to access it from outside of itch at all, but the javascript code seems to end up on a different origin to the page that's actually running it when you launch it from the itch page. Is there a way to disable this?

I tripped over this because my code assumed that the only script tags in the page were my own--I have an issue ( where I described how I'm working around this now, but it would be good to have a less hard-coded way to do this. 

(1 edit)


I'm having trouble running any of the web-based games.

An example is

I've seen people mentioning the Referer: header so I captured it with the network tab of the developer tools:

Referer:<possibly sensitive bit>?page=53

... which looks intact.



Edit: using Firefox on Windows.


In this case, the referrer will not matter. It’s possible you’re using some privacy extension or browser setting that is preventing the browser from operating normally? You may want to try temporarily disabling those things to see if it makes any difference. An alternative approach, you could try running the HTML5 games in our app, as it will let you download a local copy of an HTML5 game.

Hope that helps

Thanks for the reply leafo.

Yes, I'm using umatrix in the browser and privoxy in the router, but I'd already tried bypassing both those.

I'm not really an 'app' sort of chap, so in the end I've installed a different browser on a USB stick for use with itch, and games are running OK on that. It's like using a dedicated app, but with more buttons & switches exposed.  You can never have too many buttons and switches!


Tim ... this is hitting issues. I'm not the developer, but the customer. Am very  much about privacy, so won't be turning off add-ons. Can't believe how broken is suddenly, especially when have paid for things, and devs need to have games easily seen and accessible. Terrifying to click through into my Library, then onto a purchase, and to see 'you're not on' plus a huge red square. Was it specially designed to look hacked and worry people? Seems so, as the relevant notice is in smaller print, and actually took a while to see. I'll need to not use anymore,  but will support devs who direct me to a secure link/site where I can support them/make a purchase. 

It won't let me play cuz it says i hacked it when i played on the site pls fix this

ok you probs kno why im here so bai

(1 edit)

No, we don’t. You didn’t mention the exact issue you’re having.

Hi there, I'm trying to sitelock my html5 game so I made it only run if the domain is "" which works in the browser. But today I installed the itch desktop app for fun and noticed the game does not run. Are there any other domains I need to check against?


Nevermind, I just realized it's because HTML5 games need to be downloaded and installed locally to play it through the app. It seems that my music mp3 assets are exposed. Is there anyway to obfuscate that? (Or is there something I need to do outside of prior to building my files?) Because I spent a lot of time composing and producing those soundtracks. Would be sad to see them get stolen and used elsewhere.


This is not possible, I’m afraid. Any files the game needs will be downloaded and thus on the player’s computer. And security through obscurity has been shown to never truly work. Your best bet is to send DCMAs every now and then.

Hi everyone! I'm a bit of an idiot regarding this sitelocking mechanism so here are a few questions:

- Is there a procedure to perform to protect one's html5 game or does the autolock actually run automatically?

- My game (dracunite for the lowrezjam) has been stolen by a bunch of sites... So... I was assuming that if the autolock is working automatically... It no longer is or these sites found a workaround it. Is there anything I can about it?

thanks for any help!

And the culprits I found on the first page of a google search...


An older version of my game has been stolen by some of the same culprits you list. But then I discovered sitelocking and it's been fine since then.

To my understanding, you just have to check what domain your game is hosted on. I don't know what framework you're using, but in Game Maker Studio 2, what I do is first grab the domain using

domain = url_get_domain();
if ( domain == "" || domain == "" || domain == "" ) {
    legit = true;

Then I ask the game to run if "legit == true", otherwise, display a UI that shows my game's logo, URL and an explanation that you can play it on "" is the domain to check for for

Hope that helps.


Thanks! I'm using godot and I'll try to implement something similar to this!

(1 edit) (+1)

Hi, I've been trying to make my game accessible via source code but am getting this error:

"You're seeing this because the site you loaded the game on tried to steal or hotlink it from Play the original game safely & securely on"

The game is on itch though, and I am the owner.

Is it possible to resolve this please so that the game can be included in other collections via source code?

Here's the game/link that brings up that notification ^

(1 edit)

Hi, I'm getting the sitelock issue on (among several others), using Firefox Nightly. This issue even persists after turning off all privacy extensions and disabling Enhanced Tracking Protection for that page.

EDIT: The solution was to turn off network.http.referer.spoofSource in about:config, but that is not a long-term solution to the problem.

I tried playing a Dr. Ludos game & it brought me here

I'm using firefox on ubuntu with an adblocker and I can't play games on

I completed  and it did a thing and then I got the site lock notification

Hello, I got the game through a bundle but when I come to play it it just keeps telling me I should be playing it on  I have tried it with adblock and everything else disabled.  Is there a way to download the game by chance?

 You would have to go the developer's page on and play it there.  Alternatively, you can download and play it through the itch game console.

Oh thank you! Could you link me to the console please? I just find games tagged with console when I try.

Download App -

Thank you again!

Hi! I'm using Waterfox. None of the browser games seem to believe I'm actually on I've tried disabling my addons; no luck.

Any idea how to fix it?

Hello! I saw this for the first time today. For months I’ve got used to open the iframe in a new time to avoid javascript sandboxing errors (indirect call to null and others) that prevented many games from loading. It could be firefox third-party tracking protection and/or privacy plugins that cause this. It was fine to get these errors when the workaround worked, now I’m not sure what to do.

Admin moved this topic to Developer Updates