More options for "Untrusted URLs"
tracked
SuperFlue
With new features for remote string and image loading, there will be more of a push on users to just always have "Allow untrusted URLs" enabled permanently to allow worlds to function properly.
In that case it might be worth to take a second look at how this function is set up and presented.
I would suggest implementing "world moderation" actions.
So instead of having a global setting that always trusts URLs, instead you have an option to "Allow untrusted URLs in this world".
An additional "power user" option could also be that users can add more "trusted URLs" through the config JSON.
And the trusted URLs (both custom and built-in) should be presented somehow in the settings menu.
An additional consideration would be to show which untrusted URLs are being used in the world (under debug settings menu maybe)?
In this case there is no need to present the full URL, but just the hostname.
With these options maybe there should also be a capturable feedback in UDON when a user tries to load a untrusted URL they have not allowed?
That way it is possible to build error handling to present the actual issue to users in the world.
Log In
Activity Feed
Sort by
hare_ware
It would also be great if there were an option to automatically block untrusted URLs in Public instances. Stumbling into a malicious world seems much less likely than stumbling into a malicious user in a trustworthy world.
MyroP
In popular worlds that have a video player, I see more and more often people putting shocking/NSFW videos on the video player, those videos usually come from an untrusted URL (so not YouTube).
Having a world-based "Untrusted URL" setting could improve this issue.
Maybe having a "Allow Untrusted URLs" option on the VRCUrl component could also help.
This won't fix the issue, but probably improve it.
Scout - VRChat Head of Quality Assurance
tracked
Observer․
100% need to provide smarter ways for the user to navigate untrusted URLs. This way we are making informed choices and not blindly using a toggle just so things don't break in worlds.
I saw the March 9 dev blog and instantly thought why don't we have an in game prompt to confirm that we want to allow the untrusted URL to load.
For example some web blockers will present an "allow once" and "allow always" prompt. The allow always prompt obviously adds it to a custom whitelist. Other options specific to VRC could be allow for world or allow for world creator.
Some might say these things would bring a poor user experience, well you need to decide the balance between safety and convenience. My vote is on security or at least providing a way for me the end user to enable extra checks.
LucyLuuu
adding to this, having a way to check within udon, if a user has untrusted urls for this world enabled, would be good.
this would help us creators so we’re able to display an error message to the user, instead of things just not working, them being confused and coming in our dm’s and complaining, or worse, not saying anything and just writing the world off (not everyone reads the “allow untrusted url” notices we put up unfortunately)
Flir
There should definitely be the ability to see what kind of URLs are being requested, and maybe the ability to set URL filters for what is auto allows and auto disallowed. Ie, "
.discord.com" most people probably feel safe to add to the auto allow list, but not "
.evilsite.hahah.youre.pwned" would definitely go on the disallowed list if it popped up.
Pein is Styxus
I would definitely love to see something like this implemented. Being able to change the whitelist of "trusted URLs" could be a good start as well like what miner28_3 said, but with emphasis on being able to create your own list and a separate default list. Some times you don't want to have to deal with a youtube video loading.
miner28_3
Pein is Styxus: The current whitelist system was made in a hurry and its clear, and there has not been any attempt on improving it. But with String and Image loadings now being a thing, i think it really is time now for them to get it better.
miner28_3
"An additional "power user" option could also be that users can add more "trusted URLs" through the config JSON."
This needs to also be present in the client itself, not only JSON.
Quest users need this ability too.
This could go very well together with Debug Menu that shows which Untrusted URLs the world is trying to use. A button next to that URL to Trust it would work great.