Allow URLs for string & image load to be created programmatically
ModerateWinGuy
Being able to programmatically create URLs to load things would make the web loading tools much more flexible.
IE: Im trying to load data from a google calendar that requires a querystring with the start date, and being able to supply that calculated on the fly makes things much easier.
It would also allow the string loader to provide URLs for the image loader so we could change what images we have loading without having to replace the image that is being hosted or reupload the world with a new URL.
Log In
u-Kotovsky
It would be nice to make it also a separate toggle like "Allow Untrusted URLs" to be called like "Allow generated by worlds URLs". It is a pain to get it all working like to get from api urls and load preview into image, which does not seem to be able to do for now.
Equinn
This would be absolutely essential, otherwise this whole string/image loading feature is very limited in use.
Docteh
I suspect improvements will be cautious and slow to avoid security or privacy issues.
Maybe you could have a list of some weekly urls, and choose the correct one at run time?
Then the world upload is good for an amount of time. If you time it right, the work around will last until next improvements
ModerateWinGuy
Docteh: yea. I'm sure they're just being cautious but just wanted to make sure to express a desire for it early so they know that people would like it.
In the meantime I've set up a little service that runs every hour on my server that parses all the calendar data and writes it to a pastebin file and just read it in udon from that.
Means I can strip out all the extra data I don't care about too.
Equinn
Docteh: I find it interesting how everybody is talking about security and privacy concerns regarding this (and other odd limitations VRChat has), and honestly I don't see it. Realistically you can't collect anything that could be considered sensitive, you can't record voice chat, you can't fetch usernames (only display names which are already public), you don't have access to account information or to files on the user's computer. If security and privacy is a concern, then instead (or next to it) of the "trusted URL" feature they should have an "allow communication between worlds and 3rd party servers" option in settings, so you can simply block any sort of downloading or uploading of data (this setting is checked runtime by udon and if it's disabled it simply blocks the functions that send/recieve data). As a matter of fact the VRChat web api can collect a lot more "sensitive" data than anything in-world....
Docteh
Equinn: my understanding is that right now, you can send as image request from a world, that lets you track usage of the world, maybe you can track certain usage like have a secret to be found, load a something when the user finds it.
If you can somehow send my username as part of the URL, you can now know when I've visited the world, and as part of that you can match me to an IP address. If you can send instance number, then you can track who is hanging out with who.
Just because VRChat tracks me, doesn't mean every world author needs to be able to as well.
Maybe opening up remote loading needs to be paired with more granular settings on untrusted sites.
Equinn
Docteh:
So currently no, you can't use automated requests to track anyone or anything. The only way to send any non hardcoded data, is through asking the user to send the URL that contains the data. You can already do that now and the user would be non the wiser about what's in that URL...so if somebody wants to somehow spoof someone they can already do so, by having your script generate the url and ask the user to send it to your server from within VRC via copy-paste (you could give any sort of reason for that that sounds reasonable).
If they introduce the option that I suggested above, where you simply opt out of the data exchange and then nobody can track you (and you also loose the functionality that comes with said data exchange), we would be no worse off than any website on the internet. This could be done per world even, have a popup disclaimer where you have to agree to data collection. This is fairly similar of setting cookie settings on websites, just less granular.
Also you can't get hold of a username in-world, only a display name, which is not unique, but of course can still be an indication. There is currently also no way to get hold of the instance ID through udon. Maybe there is some way to do this through the website api, but not sure how you'd be able to use that data to harm the users in any way. Even if you could get said data, you'd have to be the author of most worlds in VRC to be able to track where people are and who they are with....Otherwise all you can do is see who is on yours, which frankly doesn't sound very useful for any malicious purpose? Stalking?
At any rate, if they'd just introduce that option to not allow any data collection , per world, it would sort out this somewhat (in my opinion) overblown security risk as well...If this method works for the rest of the internet, I'm sure it would be fine for VRC.
DarkSwordsman
Docteh: What VRChat needs to do is instead of just broadly limiting it for everyone, giving the option for people to whitelist worlds, or explicitly consent on every world load for data to be collected/runtime VRCUrls to be generated.
I want my data to be allowed to be collected, because I know what sorts of amazing features can come from a lower rate limit and runtime VRCUrls.
VRChat doesn't even provide the functionality currently to explicitly whitelist or blacklist URLs. Only a generic toggle to allow non-whitelisted URLs.