Please make the 5-second restriction for VRCStringDownloader, VRCImageDownloader, and VideoPlayer apply per domain instead of globally
chiugame
Thank you for your continued work on the development and maintenance of VRChat.
Currently, VRCStringDownloader, VRCImageDownloader, and VideoPlayer all enforce a 5-second delay between requests.
I assume this restriction exists primarily as a security measure — to prevent worlds from transmitting data externally without user consent — and I fully understand the reasoning behind that design.
However, this restriction currently applies globally across all domains, and that behavior is causing significant usability issues in practice.
For example, if an asset in a world includes components that use these downloaders, they all share the same cooldown timer.
As a result, even content that should load immediately upon joining the world may be delayed for several seconds — or even minutes — depending on how many downloader requests are queued.
In extreme cases, if just one asset tries to load 30 images at once,
the 5-second global cooldown means those requests could take up to two and a half minutes to complete.
This delay cannot be avoided by world creators, since the restriction applies globally and affects all content equally.
To resolve this, I suggest keeping the 5-second restriction but applying it only per domain.
If requests are sent to different domains, there should be no need to throttle them, since doing so would not increase the risk of data exfiltration.
This change would maintain the intended security benefits while greatly improving usability and load performance.
I would greatly appreciate your consideration of this improvement.
Log In
Docteh
> In extreme cases, if just one asset tries to load 30 images at once,
i think vrc wants to avoid world creators wanting to do stuff like that
chiugame
Docteh Thank you for your comment.
Yes, I agree that VRChat would want to avoid that.
However, that concern is unrelated to this particular Canny request.
This proposal is simply asking for the 5-second restriction to be applied per domain,
and it would not affect how these systems are used or their overall security.
In addition, there is no practical way for world creators to know how a commercially sold asset is implemented before purchasing it.
As a result, it’s possible for important parts of a world to remain in a waiting state for an extended period of time, unintentionally, after placing such assets.
syncpulse
Docteh default vrchat home downloads approx 40 images immediately upon join
srckat
I agree that the 5 second restriction is annoying, but I want to bring up that making it per domain means that one creator could potentially create 50+ subdomains and poll them all at the same time, which could cause a lot of potential issues. Not that I don't agree, just adding on to this.
chiugame
srckat Thank you for your comment!
I believe it would be possible to handle this in the same way as the current whitelist system, where subdomains are included.
For example, entries like *.github.io are already allowed in the whitelist,
so I don’t think this change would cause any issues.
Theoretically, one could obtain 50 or more separate domains to achieve the same effect,
but that would be highly impractical in reality.
srckat
chiugame So basically, that would mean that enabling untrusted URLs
could
cause a lot of bandwidth to be used randomly. I'm not sure if they want that.