Allow VRCURL URL / Dynamic URLs At Runtime, It's Time for a Change
Balphagore
With the Remote string loading and image loading, we should be able to dynamically construct endpoint url's to cater to different scenarios and offer more flexibility.
I know other posts about this do exist, but I feel like VRChat won't really pay attention without there being more volume and input from the end users. Please upvote relevant requests and share your thoughts. I'm using this post to potentially share my feedback and idea, and offer a starting point for us to discuss on. I want to be able to kickoff my project in VRChat and the string loading with dynamic URL's will play a major role in making it a reality.
I am assuming this was not possible because of "security" concerns, but let's face it that we offer users to block untrusted URL's as is and give them warnings.
VRChat is not only a social platform, but a sandbox for creators in terms of avatar, world, and scripting content.
I've developed essential tools on Garry's Mod and other sandbox games, and they had no problem letting scripts make API calls, despite the community having a dangerous and toxic userbase. This allowed me to let my clients configure "roles" and preferences from an external web portal.
Are you afraid of data exfiltration? There are ways to do that already.
Malicious URL calls? Anything on the internet can be malicious as is. We can't keep having this "Carebear" security mindset and keep it locked tight that severely limits our creativity, but look for accountability and flexibility. The security concern is admired, but now its necessary to send dynamic URL's for search queries when we deal with remote strings or images, otherwise we have no choice but to dump the entire dataset.
I will just have to create hundreds of VRCURL's and just do a bunch of if/else's and download the entire "database" instead of feeding search queries to get specific datasets to save bandwidth and filter through the data set on the server side.
Maybe to meet in the middle, we can be transparent of the requests to be made. Add a prompt to the end user stating that "This World is requesting permission to let your game send/receive content to and from http://xyz.com" and it would be whitelisted to that user individually. Any new URL's not on the list will prompt another permission request. It would
Only
apply to the domain name, and Subdomain only. Maybe prevent changing the domain/subdomain of the URL entirely. This can also allow the user to feel more confidence knowing that their "Untrusted URLs" is no longer a wildcard, but can consult a list to see which untrusted URL's they're permitting on their client.With your upcoming "Udon" menu implementation, it could be considered to have VRChat built-in user preferences specific to the worlds, and include the whitelist there of URLs the World has requested to communicate with.
Log In
Сhіp
This is a must have, hell, even ROBLOX allows you to make requests to whatever dynamic URLs you please, as long as it's requested from the server, and even then you can just use their RemoteFunctions/RemoteEvents to pipe the response data back to the client. If ROBLOX can do it, VRChat clearly can.
Nіyah
That would also be very nice, the game right now is on full lockdown about dynamic content and it's quite sad to see.
Right now, that's exactly what we're planning, a list of over thousands VRCURLS, and there's no other solution, will it run poorly ? surely, but we don't have any others solution.
I very much would like to see a middle ground appear, being control freaks for security isn't healthy and do not allow for true dynamic content creation, sadly.
I'd like to provide a youtube/Twitch search function, just like the old days (which was very hacky and not intended...), can't do that, even tho they're both whitelisted as whitelisted video feed providers.
I don't know man, I don't know, but a more dynamic way to handle untrusted URLs (per world maybe ? per domain as he said ? Would GREATLY, GREATLY be welcomed.
The securities issues is an argument that VRC throw left and right but is never explicit, so except if you guys know are about issues that need fixing before allowing that, I do not understand honestly. (and so, please, say it clearly, be transparent with us)