Alliframes, with the exception of itch.io embeds, are now click-to-activate within project’s description, and other developer-provided fields. This is to prevent code on third-party pages from executing automatically when you navigating to someone’s itch.io page. We’ve seen scammers attempt to take advantage of how we treated iframes to initiate a download of malicious code automatically. Additionally, this change will prevent third-party services from automatically performing tracking without your consent. (Note, click-to-activeiframeswere already used in comments and community posts, this change now applies the same restrictions to the project pages themselves)
Hi leafo, I like the idea here but I'm not convinced on its effectiveness. If someone wants to initiate downloads on a project page, they can do so using an HTML5 game and checking "Automatically start on page load". Additionally, this change doesn't seem to apply to profile pages, devlogs, or the "Gameplay video or trailer" YouTube/Vimeo embed, where iframes continue to run without clicking.
Reduced tracking I'm not sold on, seeing as itch.io supports Google Analytics and the Facebook pixel, but I don't believe those services reveal raw IP addresses so maybe there is an argument to be made there.
The external links change is rather rad, though, potentially reducing phishing scams.