itch icon indicating copy to clipboard operation
itch copied to clipboard
verified publisher icon itchio

Web games run through the itch app do not run in a secure context

Open bradenbest opened this issue 3 years ago • 3 comments

Throughout development of Free Rings, particularly v1.7 and v1.8, I've noticed that the itch app does not run web games in a secure context. This is actually a big problem.

In v1.7, I added leaderboards to the game. To help identify a user on the leaderboard, they are given a UUID when they first start the game. I noticed during dev that crypto.randomUUID() is unavailable when not run in a secure context (e.g. HTTPS), so I wrote a polyfill for just in case the crypto API is unavailable, but locked it behind a test switch. You can imagine my surprise when I booted the game in the itch app and the leaderboards were broken because crypto.randomUUID is undefined. Okay, no biggie. I took away the wall and allowed the less cryptographically secure polyfill to take over when crypto isn't available.

In v1.8, I added joypad support. The Gamepad API, in W3C's infinite wisdom, is locked behind secure context. Which means not only was implementing the joypad code a nightmare, but, as I feared, the game is currently broken in the itch app, because the API is unavailable. So now I have to polyfill an entire module with dummy code in case the Gamepad API is unavailable.

Even if it's not to fix the many things that are broken by the lack of a secure context, it would at least be nice to be able to use a joypad to play games.

bradenbest avatar Sep 29 '22 06:09 bradenbest

Actually it doesn't seem like the app is all that compliant with web standards to begin with.

  • When I click buttons, they get a yellow outline for some reason. That doesn't happen in any other browser I've tried.
  • lack of modal dialogues like alert and prompt (though tbf they're supposed to be deprecated anyway)
  • my game is currently completely broken in the itch desktop app but nowhere else. No canvas rendering what so ever. Who knows why. Maybe I would know if I could open a javascript console.

bradenbest avatar Sep 29 '22 06:09 bradenbest

I rolled my game back to the last known working version, v1.7.7, and now that version is broken, too. A version that was working before, is now not working, despite no modifications. It seems the desktop app has deeper issues.

bradenbest avatar Sep 29 '22 07:09 bradenbest

Looks like the Itch devs fixed the secure context thing as of the latest version.

PixievoltNo1 avatar Dec 28 '23 10:12 PixievoltNo1