Skip to main content

Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines

Click-to-activate iframes and outbound link highlighting on project pages

A topic by leafo created May 18, 2023 Views: 2,400 Replies: 16
Viewing posts 1 to 10
Admin (1 edit) (+1)

We’re making some relatively minimal changes to how game pages are rendered for security reasons:

All iframes, with the exception of itch.io embeds, are now click-to-activate within project’s description, and other developer-provided fields. This is to prevent code on third-party pages from executing automatically when you navigating to someone’s itch.io page. We’ve seen scammers attempt to take advantage of how we treated iframes to initiate a download of malicious code automatically. Additionally, this change will prevent third-party services from automatically performing tracking without your consent. (Note, click-to-active iframes were already used in comments and community posts, this change now applies the same restrictions to the project pages themselves)

Outbound links are now highlighted when you hover over them. This is to make sure you aware you’re interacting with a link that leaves the platform. Images inside links are also highlighted. The goal here is to prevent someone from crafting page that shows images that appear to be itch.io UI elments but are actually links elsewhere. Additionally, in some circumstances, if we detect a particular link to be suspicious, you may receive a warning when you attempt to click on it.

We’re making these changes in response to the new wave of scammers we’re seeing attempting to distribute malware on itch.io. If you haven’t already, please review the the topic about the “try my game” scam.

If you have any questions or issues, please reply here.

While I appreciate the efforts, can I suggest that the outbound links have a tooltip style pop-up instead of the frame + text? Something like this one from Wikipedia

Admin (1 edit) (+1)

Unfortunately we’re dealing with scammers trying to make fake UI to trick users. We don’t have the same goals as Wikipedia here. For the time being we’re making the status of a link and contained image very obvious. Because itch.io pages can be themed, we have more situations to account for.

You should probably put the red 'external link' notice on the Amazon, Google and similar badges too.

Admin(+1)

This change only applies to user-formatted content. UI provided by itch.io will not have this, even if it is a link to an external site. I feel like these badges are explicit enough to not need additional labeling, but we may revisit in the future.

There's a bug with the external link overlay: if there's text under the popup, it renders in front of it (especially problematic when it's another link).

Admin

Thanks for the report, fix should be deployed.

(+2)

Hey, thanks for posting about this. It is good to see the site's security being taken seriously, though I do have some issues with how this change affects the aesthetic of project pages.

I primarily use itch to sell sound libraries, and I have found that pages can look quite nice if I have a large YouTube embed with the sound library's trailer that takes up the width of the page. Now I feel that my pages look quite bare, because the "click to activate YouTube" video is comparatively small and is left-aligned. I also feel it's a bit less "idiot-proof" (for lack of a better term 😉) to hear an example of my sound libraries.

Is there any possibility for any websites to be "whitelisted", so they appear as before without needing to be enabled? I don't claim to understand the technical aspects of it, but I would imagine that iframes from YouTube or SoundCloud for example would be safe. And from what I can tell, it does appear that the "activate" box is aware that the iframe is a YouTube video and already displays it differently to the generic "activate" box. Perhaps trusted websites like these could be displayed as before?

And another thought that may or may not be possible - could the new "click to activate" boxes be made to match the size of the original iframe? This would minimise the effect the new system has on page layout.

(+1)

I have the same problem! I'm not a fan of how it affects the layout of the page:(

Admin (2 edits) (+1)

Is there any possibility for any websites to be “whitelisted”, so they appear as before without needing to be enabled? I don’t claim to understand the technical aspects of it, but I would imagine that iframes from YouTube or SoundCloud for example would be safe.

From a privacy perspective, we are moving away from automatic embeds from third-party platforms. Users will have to opt-in to loading these iframes by clicking on them. Where possible, we can try to insert an image in the placeholder to communicate what is embedded. (We do this with YouTube videos currently)

And another thought that may or may not be possible - could the new “click to activate” boxes be made to match the size of the original iframe?

I think this is something we’ll likely explore in the future.

Thanks

(1 edit) (+2)

Agreeing with Matt that YT and Soundcloud embeds should be safe enough to be whitelisted, as the layout pages looks really unsightly now.

(+5)

Disabling auto-showing of SoundCloud playlists directly hurts my ability to sell my music packs on itch. It is not obvious at all to visitors that the new 'click to enable embeds' thing will display a SoundCloud playlist. Forcing people to click on a thing they don't immediately understand in order to display a thing they don't know is available is really... bad. I understand the security concerns you're facing, but if those security concerns aren't coming from SoundCloud playlists, please find a way to enable them to auto-display again.

Maybe you could add a custom-built field in the product creation template that is specifically for SoundCloud playlists similar to how you have one for a trailer video. To be effective at all, those playlists really need to auto-display. There are a lot of soundware creators on itch, and as it stands the current change hurts all of them.

Deleted 1 year ago
Admin

Please don’t post on unrelated topics to try to get attention. Submitting a report for the page, a support ticket, or a new thread is the right way to go. Do not reply to random topics or posts created by admins or moderators.

All iframes, with the exception of itch.io embeds, are now click-to-activate within project’s description, and other developer-provided fields. This is to prevent code on third-party pages from executing automatically when you navigating to someone’s itch.io page. We’ve seen scammers attempt to take advantage of how we treated iframes to initiate a download of malicious code automatically. Additionally, this change will prevent third-party services from automatically performing tracking without your consent. (Note, click-to-active iframes were already used in comments and community posts, this change now applies the same restrictions to the project pages themselves)

Hi leafo, I like the idea here but I'm not convinced on its effectiveness. If someone wants to initiate downloads on a project page, they can do so using an HTML5 game and checking "Automatically start on page load". Additionally, this change doesn't seem to apply to profile pages, devlogs, or the "Gameplay video or trailer" YouTube/Vimeo embed, where iframes continue to run without clicking.

Reduced tracking I'm not sold on, seeing as itch.io supports Google Analytics and the Facebook pixel, but I don't believe those services reveal raw IP addresses so maybe there is an argument to be made there.

The external links change is rather rad, though, potentially reducing phishing scams.

(+3)

Any update on this? Any plan to relax the new rule in favour of facilitating those who use itch.io for music distro? It would be amazing if you worked in tandem with a selected music playlist service, such as soundcloud, to allow iFrame auto load at least on that.

(4 edits) (+1)

I second this 👆

Considere whitelisting soundcloud domain please, their embedded player is efficient and quite useful for selling audio assets here ☺️

Like everyone else, I understand the security/privacy concern with third-party content. It's just a pity that we can (almost) fully customize our pages with CSS but have iframes hidden behind a click.

Sample screenshot :


(+2)

I only just now learned about this change. Very understandable change, but I'm hoping some exceptions could be made, either on an account or project basis, or on a domain name basis (are Soundcloud embed's safe enough?)

Otherwise, I'll have to re-think how I am designing my pages, as I do rely on Soundcloud.