Support for granular world permissions and per-world user settings
Genesis
World developers should be able to:
- Select required and optional permissions in the world descriptor prior to uploading a world.
- Query a world permissions API exposed through Udon to view the permissions that a user has allowed the world developer to use.
- Receive an event in Udon when world permissions have changed while a user is in the world.
Permissions would include:
- Access to user's skeleton and play space tracking data.
- Access to user's display name.
- Access to a unique identifier for the user.
- Access to network resources (video/string/image loaders).
- Access to custom domains for URL construction (and specify which custom domains should be allowed where appropriate).
Users should be able to:
- View a world's permissions in the main menu prior to joining a world.
- When a world has required permissions, the user must accept those permissions in order to be able to join the world.
- When a world has optional permissions, the user can select which permissions they wish to allow to the world developer prior to joining the world on their first join attempt, and may reconfigure those permissions after joining the world.
Log In
D
Docteh
> When a world has required permissions, the user must accept those permissions in order to be able to join the world.
I disagree on that, too easy to get to warning fatigue, especially if the pop-up is provided by VRChat. I think if worlds can check permissions at run time, it'll be easy for them to explain to users what they want and hopefully why.
I have been in one world that actually checks if untrusted urls are enabled. Only noticed that because a friend that reset a bunch of things. I'd guess they just use the string loader and if it falls, show the pop-up.
『Schwi』
Access to a users skeleton and play space tracking data? Display name? Unique Identifier?
That's a bit much.
Specify each individual domain? And I assume the user needs to accept these permissions every time they load into the world. It's all a bit much.
A generic "This world would like to post data to outside services" would suffice. If you're really paranoid, a 'View Requested Domains' button could be made available to see exactly which ones will be contacted.
Reimajo
I fear that this would be a bit overdramatic. "THIS WORLD WANTS TO ACCESS YOUR TRACKING DATA" would scare users away for no reasons. That would affect almost every world today where you can do anything at all. None of this data leaves VRChat, so why bother that a world can access it in Udon?
Stuff like display name and tracking data, plus access to whitelisted URLs, are required for most worlds to function. They don't need permission unless you want to send this data to a web service, which doesn't seem to be what this canny here is about. And if you don't send it out, why do you need permission to access it in Udon?
I agree that such a system would be good for additional permissions (no rate limit, dynamic URL constructions for all URLs, unique identifier access). I just can't upvote a Canny that suggests locking down existing possibilities that are already more locked down than they should be.
Reimajo
To clarify, such a system would ONLY be needed when you want to dynamically construct URLs at runtime for a non-whitelisted domain. Then it would make sense, yes. But because this canny here doesn't describe it as that being the main factor, it feels wrong to me.
syncpulse
I agree on the HTTP related permissions, the other stuff seems like a bit much though
Edit: Meh not sure I'm a fan of needing to specify the domains that will be used in a world. Plenty of use-cases for loading (or redirecting to) some domain that isn't known ahead of time