How to detect hot-linking

Questions
1

So my stolen game is here - the site has simply hot-linked to my own website which circumvents the domain check I implemented using @Pkeod’s code from this thread

Does anyone know of a way to detect this type of hot-linking from within Defold?

Help appreciated! I’m sick websites stealing my hard work.

3 Likes
2

Try this solution https://stackoverflow.com/a/13108467
with html5.run() function.

1 Like
3

But then can’t he hide it with this?

What about document.location.href?

1 Like
4

Oh, didn’t know referrer can be cleared.
I think document.location.href would be the url of the iframe.

5

You can also try this to check if you’re inside any iframe:

window.self !== window.top

But I read in some places that some browsers block window.top due to CORS.

1 Like
6

Thanks for the help!

I’ve found I can simply add some rules to .htaccess to prevent the hotlinking in the first place. Game will now not even load on the pirate website whilst running normally from my own.

nope
nope720×617 70 KB

7 Likes
7

Nice!
Would you mind sharing said .htaccess rules?

Actually as of now I can still access your game on the site

image
image843×1091 166 KB

8

That might be a cached version? Otherwise I’ll have to do some more testing.

Here are the rules. Basically just blocks hotlinking of html files (and png)

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?jacobsladder.uk [NC]
RewriteRule \.(png|html)$ - [NC,F,L]

Not my own code - it was generated from this website

3 Likes
9

I can confirm it stopped loading for me too now on the pirate site.

3 Likes
10

A good first step, at least forces them to update their site to hide the referrer if they want to continue showing your game. You might wanna continue monitoring it and/or add some link to your website in the HTML in case they do bypass it. The beneficial side of CORS here is that he can’t really do much to edit what’s inside the iframe in order to hide it afaik.

2 Likes
11

Maybe change your Forbidden 403 error page to an easy way to click through to your main site? :slight_smile:

There should be more ways to block iframe embedding as well.

4 Likes
12

If you return the X-Frame-Options header you can control who (if anyone) is able to embed your pages in iFrames.

4 Likes