Hey, thanks for posting about this. It is good to see the site's security being taken seriously, though I do have some issues with how this change affects the aesthetic of project pages.
I primarily use itch to sell sound libraries, and I have found that pages can look quite nice if I have a large YouTube embed with the sound library's trailer that takes up the width of the page. Now I feel that my pages look quite bare, because the "click to activate YouTube" video is comparatively small and is left-aligned. I also feel it's a bit less "idiot-proof" (for lack of a better term 😉) to hear an example of my sound libraries.
Is there any possibility for any websites to be "whitelisted", so they appear as before without needing to be enabled? I don't claim to understand the technical aspects of it, but I would imagine that iframes from YouTube or SoundCloud for example would be safe. And from what I can tell, it does appear that the "activate" box is aware that the iframe is a YouTube video and already displays it differently to the generic "activate" box. Perhaps trusted websites like these could be displayed as before?
And another thought that may or may not be possible - could the new "click to activate" boxes be made to match the size of the original iframe? This would minimise the effect the new system has on page layout.
Is there any possibility for any websites to be “whitelisted”, so they appear as before without needing to be enabled? I don’t claim to understand the technical aspects of it, but I would imagine that iframes from YouTube or SoundCloud for example would be safe.
From a privacy perspective, we are moving away from automatic embeds from third-party platforms. Users will have to opt-in to loading these iframes by clicking on them. Where possible, we can try to insert an image in the placeholder to communicate what is embedded. (We do this with YouTube videos currently)
And another thought that may or may not be possible - could the new “click to activate” boxes be made to match the size of the original iframe?
I think this is something we’ll likely explore in the future.
Thanks
Disabling auto-showing of SoundCloud playlists directly hurts my ability to sell my music packs on itch. It is not obvious at all to visitors that the new 'click to enable embeds' thing will display a SoundCloud playlist. Forcing people to click on a thing they don't immediately understand in order to display a thing they don't know is available is really... bad. I understand the security concerns you're facing, but if those security concerns aren't coming from SoundCloud playlists, please find a way to enable them to auto-display again.
Maybe you could add a custom-built field in the product creation template that is specifically for SoundCloud playlists similar to how you have one for a trailer video. To be effective at all, those playlists really need to auto-display. There are a lot of soundware creators on itch, and as it stands the current change hurts all of them.