Using Goatse to Stop App Theft
I recently built a browser-based word game with my friends called Sqword (sqword.com). I'm proud to say that we've been able to maintain a steady group of daily active users over the past 6 months or so despite not doing any real advertising.
Vultures will even pick at modest success stories.
Yesterday one of my collaborators googled "sqword" and to his surprise, there were tons of first-page results that weren't the sqword.com domain. These sites are "game aggregator" sites that host your app inside of an iFrame so that they can steal ad revenue from your product.
This made me angrier than it should have - not because Sqword is a cash cow - we don't run ads on the site and don't make money from it, it's just for fun - but because it was a passion project with friends, something pure and intentionally free to play WITHOUT ads. It's against my ethos as a developer, there are banners and popups everywhere. If I build an app, I believe it should either be free or it should be up-front about what the subscription or purchase price is (and then not upsell you).
I couldn't abide seeing my code monetized in this way.
The mature and responsible thing to do would have been to add a content security policy to the page. I am not mature so instead what I decided to do was render the early 2000s internet shock image Goatse with a nice message superimposed over it in place of the app if Sqword detects that it is in an iFrame.
It has been one of my greatest achievements as a dev: to live-deploy a massive goatse image to at least 8 domains that aren't mine.
Let this be a lesson to you - if you are using an iFrame to display a site that isn't yours, even for legitimate purposes, you have no control over that content - it can change at any time. One day instead of looking into an iFrame, you might be looking at an entirely different kind of portal.