Thank you for bringing attention to this unexpected bug. Upon further investigation, we discovered that it is an embedded CSRF protection that prevents access from third-party websites. The challenge arose because embedded content from the web application was included in plain HTML uploaded to Itch.io.