Sitelock

We need better methods to protect html5 exports.

As it stands we have two expressions from the Browser object, those being domain and referrer.

There are issues to using both of those.

Browser will work if, and only if the page is by itself on a host, however a great many portals require you to provide a url so that they can embed the game in an iframe.

This means that browser.domain will only return the source of the iframe, and not the url of the page where the iframe is hosted.

That makes it useless for this case.

We also have browser.referrer, which is a step up, but it also presents an issue as most portals will have diferent reference urls, based on search queries, member details, cdn, etc. Then unfortunately these portals are not in the habit of providing what all these urls will be, let alone any method to protect your games.

We need a way to get the parent domain.

I'm hesitant to make a built-in sitelock feature in C2 since it provides a single point of breakage. Once someone figures out how to circumvent the sitelock, they can circumvent it for all C2 games. However if you invent your own solution it's more work since there is no one way to globally unlock all C2 games.

Aside from making events check their own domain, HTTP has features to prevent unwanted frames. X-Frame-Options looks like it can do it, but the newer standardised version is Content Security Policy, specifically the frame-ancestors directive. Configuring your server to send a HTTP header like:

Content-Security-Policy: frame-ancestors self https://awesomearcade.com

should only allow the page to be framed by either its own origin, or https://awesomearcade.com.

Well getting these portals to change their servers will go over about as well as getting them to use a diferent tag than iframe.

Creating our own method is fine, except we don't have that many options from within C2.

That does bring up something else to consider.

What would be good to have are some parsing methods other than regex.

Right now I could just get the domain from referrer, and I would be happy, but there's no simple solution to get that.

Another issue we have is getting information from external third party api's, but as is we have a hard time just figuring out our own json files we get from C2.

I thought you meant portals would iframe your game running on your own site? In that case you can specifically allow the portal and nobody else. If it's hosted on the portal itself, then it's up to them to prevent people iframing their content (which I would have thought is very much in their interest anyway).

There's different scenario's. The one that's the problem is where the portal has an iframe that points to my hy game, on my server.

That has the advantage of saving them bandwidth, and allowing me to make updates easily, however that also allows anybody to also show my content on there site.

Browser.domain only returns where the content is stored, not the site that's showing it.

So no, I can't use that method to allow just a specific portal, and it's really not in their interest to keep people from stealing that content, since it's not their bandwidth.

Browser.referrer gets the site that's showing it, but the information that's returned is not just the domain of the site, but the entire url.

We need exact strings to match, like scirra,com, not , which obviously you couldn't possibly know beforhand.

I might add all that all someone has to do to get my url is search the page source of the portal for "iframe".

I don't think the referrer is a reliable thing to detect this with. There are a few security features that can blank it out (e.g. one in Content Security Policy again) and sometimes it's not present by default (IIRC https -> http drops it).

It's like how a hash works.