koobas.hobune.stream
How do I sitelock a game?
When I was learning about the various kinds of sponsorships, I found out, that some licences require sitelocking the game to the sponsor's page. First I thought it would work with something like
var locktoSite : String = chat.kongregate.com; //for Kongregate as example
private var showContent : boolean = false;
function Start(){
var _url : String = Application.absoluteURL;
var _urlParts : String[] = _url.Split("/");
if(_urlParts[0] == locktoSite)
showContent = true;
}
Then again this might be worked around by using something like an iframe. I'm not really sure though,since I have hardly any experience with HTML. It is pretty critical for the sitelock to work when it comes to sponsoring so I have to be 100% it works and can not affort to test it out myself.
Thank you.
I don't know. absoluteURL should check for the html page the game runs on, but I don't which value is returned if the game gets embedded on another page using iframe. I kinda think it returns the url of the original site thus the game can be embedded without limitations.
After some research i also found the Application.srcValue method (is it a method?) which checks for the relative path of the game file. Those both combined would work in that case.
However I'm still insecure if this really is enough. Can I prevent piracy effectively like this or am I just paranoid?
You can test this extremely easily yourself - Just create an html page that includes your webplayer in an iFrame and see what it does...
You don't need to run this on a webserver, just anywhere it can access your webplayer.
You can include queries to external file or files, possibly textures or xml files, located on the server and block the Webplayer if can not access them. You can easily have control over everything.
Thanks yor your comments. I tried running a test project through an iframe (had to learn how to do it first thus the late reply). Sitelocking did not work! absolute URL and SRC value were debugged just like I opend the project through the original html page which I included in the iframe.
Checking for absoluteURL and SRCValue can be worked around using an iframe.
@tomekkies2: I don't really understand, what you mean. If I store parts of the game externally how do I know, that the webplayer which tries to load them comes from a legit site?
First thing - this kind of site locking isn't easy. There are many, many ways of including content in a page and I'll almost guarantee that there are work-arounds for all the things I'm about to suggest. You should carefully look at what is required of you by the publisher because you may just need to protect against a couple of common avenues, which means you can focus your efforts there.
Situation 1 - Someone tries to embed your unity player in a different page.
This can be solved by looking at the Application.absoluteURL as you're doing above. This will work on the page that the player is loaded in.
Situation 2 - Someone embeds the entire page that hosts your webplayer in an iFrame.
To stop this one you need to communicate directly with the browser. Luckily this is something Unity can do.
So you just need to write a little bit of Javascript (real javascript, not unityscript) to check whether there is a parent to the current page and redirect if there is.
(UNTESTED!!)
Application.ExternalEval(
"if(parent && parent.document.location.host != '" + locktoSite + "') { document.location='http://goo.gl/9ulDD'; }"
);
Thanks for your reply. This approach looks very promising. Unluckily i don't know how to code real javascriot right now so I will need some time to learn how things will work in detail. $$anonymous$$aybe I am lucky and find a detailed tutorial or even a piece of code now that I know what I need to look for. If this is the case I will let you guys know.
Ok i've done some testing and unfortunately your code did not work. It could not prevent an iFrame from running my test project. I was able to block the iFrame by using a slight variation of your code(see below). However this is not a solution either since many game portals run their games through an iframe themselves. Thus your game would not run on those sites at all.
Application.ExternalEval(
"if(window != window.top) {
document.location='*homepage*';
}");
}
Yeah, as I said, untested :)
Turns out that I had forgotten about cross domain policy. When dealing with frames you can't access a page from a different domain.
This actually means we don't even need to check the host of the outer page, because if we can even access it then we know it's from the same domain anyway.
So this will redirect someone if your page is not being embedded in a page with the same host:
Application.ExternalEval(
"if(parent && parent.document == undefined) { window.top.location.replace('http://goo.gl/9ulDD'); }"
);If you really do need to check the exact URL (for example, you're hosting the page on foo.com and you want bar.com to be able to embed your content) then you can check the document.referrer, which is set to the URL of the page that includes the frame:
Application.ExternalEval(
"if (parent) {
var pathParts = document.referrer.split('/');
if (pathParts[2] != '" + locktoSite + "')
window.top.location.replace('http://goo.gl/9ulDD');
}"
);I'll also reiterate that you should check the requirements around what measures you are required to provide for the publisher. If they're embedding things in iFrames then they possibly do not require you to check against that sort of thing.
Thank you for all the time and effort you have put into my question. From what I just learned: document.referrer returns the url of the last referrer. Thus checking only for document.referrer can be worked arround by putting the Iframe in an Iframe ins$$anonymous$$d of the root page. But this should be fixable by checking if the application runs through multiple iframes of if the parent is top or something like that. On the downside I also read that referrer might be empty if the page was not directed by a http (in example https). In which case the game would not be accessable from the legit site.
Lets just hope the requirements for a sitelock won't be that strict. In either case I feel more comfortable about promissing a sitelocked version. Thanks alot.
Glad to help. As I said in the answer above, there will always be a way around this sort of thing. If someone really, really wants to pirate your game, there's going to be a way to do it. All you're able to do is make it hard enough that they couldn't be bothered/can't figure it out :)
In terms of the https issue you mention, this can be fixed by embedding the iframe using a https url. The parent and child must both be under http or both under https for the document.referrer to be populated.
In terms of the multiple nested frames... I'd say that would have to be the responsibility of the publisher. At that point it's their page that's being embedded, and if they're on a different domain to you then there isn't any way for you to access the information to say whether it's a legitimate place for your content to be.
Anyway, the above should provide a good generic starting point which can be customised as per the requirements of a specific publisher. :)
Answered in another thread, simply...
http://answers.unity3d.com/questions/36816/does-the-unity-player-support-domain-locking.html
