I understand that string and image downloaders do not follow redirects, however video players such as AVPro do allow redirects. The usecase being that a user could enter a link in a world for a JSON containing video urls that are redirected from github.io they could be turned into VRC URL’s and would be playable in a video player.
Github while a trusted URL for text and image downloading, isn’t a trusted source for video downloads. So the video player system would reject it for that reason.
The domains usable with TryGenerateVRCUrl will be a subset of the normal trusted domains. We are currently working to ensure that only domains which do not provide functionality similar to what you’ve described will be included as part of this subset.
3 Likes
The limits do not block you when using build & test, though it will display a warning in the build panel post build if you did breach either limit
We took various aspects into account while coming up with the decided limits including usage, at this moment I don’t believe I can share specific stats other than those already mentioned
3 Likes
Is directly interacting with HTTP/REST APIs ever going to be on the table for us world creators? I read “URL Construction for Udon” and thought I could finally put this cursed NodeJS app on my server out of its misery, that translates between string loader requests and real API requests, but no. Its just over-complicated playlist loading. I do not see any real use for this outside of that one specific thing.
Extend the “Allow untrusted URLs” to this, please. Or if you’re really worried, create a popup like the Windows UAC when a user joins a world which uses this feature outside the allow lists. And please consider just giving us a straight-up HTTP client. There are plenty better solutions than to entirely keep people from integrating a bunch of crazy cool tech or data sources that are already out there.
7 Likes
nice 
You can do this with the modular tools like vrcfury and modular avatar.
As you say, make a base version of your avatar with only the menus and assets that you want, and make it a prefab, then you can drop that prefab multiple times in your scene and add others outfits on top of it. That way you will get multiple avatars with the same base, and if you change something on the base prefab and save it, it will be replicated on all your avatars.
Then if you need to upload them a lot, you can use a tool from @anatawa12 with GitHub - anatawa12/ContinuousAvatarUploader: The tool to upload multiple avatars continuously with tagging version to upload all your avatar at once.
1 Like
Github.Io is not whitelisted for videoplayers. You can view current whitelist here - https://api.vrchat.cloud/api/1/config
2 Likes
Is there also any plans for Quest world size limit to be upgraded past the 100mb?
The limit hasn’t been raised after the Quest 1 became deprecated and the 100mb limite has been here for over 2 years now.
Loving imposters, however, I think we need a more clear indication that people are seeing an imposter. I get a lot of people now (in fact, most ._.) who don’t know they are seeing my imposter, and just assume the no emissions and looking cruncher is just part of the avi. And even if you are FRIENDS, it doesn’t un-imposter, and so even my friends that haven’t fully shown my avatar don’t realise they are seeing the sus Imposter, and not my propper avi.
People, especially quest users, don’t seem to read the dev blogs, and a lot of people don’t even know imposters are a thing! (and I’m not talking down on questies, most of my friends are quest, i just want them to be having the best experience they possibly could be with what limitations they have <3 ).
I think perhaps the little fallback icon is too small and overlooked since people see it so much and are used to it. People just assume they are seeing the real avatar since it’s not one of the generic fallbacks that they usually see, so don’t realise it’s an imposter. Perhaps say a hula-hoop around the waist of the avi, either with text on it saying “imposter” or “fallback”, or just a simple coloured hoop; or even a little sign next to or on the front (can appear now and then, not having to be there all the all the time) telling people it’s a fallback/imposter would be good!
Also… I’m not sure why friends still see imposters, even though their avi should be fully on if friended. Ik safety settings are basically useless for quest, since you have to fully put on people’s avatars anyway (which bypass safety) to even see people, but I didn’t know/remember they had to still do that for their friends.
3 Likes
So happy to see VRCUrl open to trusted urls. Gonna make my job so much easier with Sunset xD
As always, a really good post to keep track of upcoming features. The URL Construction API seems very promising and open lots of opportunities.
Can’t wait.
Also, thank you for the memory usage limitation. This is going to be gold for places with a lot of poorly optimized avatars.
1 Like
It is not appropriate to limit URL construction to the secure URLs recognized by the VRC official. As a global game, Vrchat cannot include commonly used websites from various countries in the security scope. This should be decided by the player themselves. For example, when uploading the world, the creator should list the domain names they need to use, and after the player joins the world, they can check the domain names listed by the creator and choose whether to allow access!!!
2 Likes
a lot of people don’t even know imposters are a thing!
If you knew how much that’s true, I also keep telling people that this is a thing, vrchat could advertise this feature so much more so more people can profit from it. With all the dev time it took to develop, might as well make sure as much people as possible know about it.
VRChat has some kind of policy, only allowing trusted provider of URLs, and mostly don’t want people to extract data in unexpected ways.
So i guess it would be nice, but probably won’t happen any time soon.
I’m curious on the restrictions for the Android platform. For the upload/download limit, are they not able to be bumped up by at least 5mbs? Or even pushing it to 20mbs?
As well, why is the Android platform for mobile devices heavily restricted? I have a Google Pixel 8 pro and runs the VRChat client fine but can’t load anyone’s avatar with safety settings lifted as I am allowed to.
And still we have the same low 70k Poly limit for Good to Poor… we need more Poly to get avatars look nice. i hate beeing stuck to 70k Poly even on Poor allowed Partys… and no it has no perfomance impact if i have a 120k oder 70k poly avatar. we live in 2024.
Perfomance impacts are those who are using Anystates or other bad FX Layer stuff. Even a “good” Avatar can be way more bad than a very Poor one!
2 Likes
Security restrictions still cannot achieve many practical functions. For example, creators still cannot use URL construction to upload player points in the game world to the server for ranking all player points, nor can they make it more convenient to search for videos in the world. For example, the very popular YTS 2.1- Search YT, Subtitles, and Quest world can only prefabricate server URLs that are considered unsafe by VRC in the input box VRChat - Home
1 Like
Asking users to police their own security is a terrible idea. Everyone always just clicks ‘allow’ without reading the warnings.
If you have have a site from a reputable but unlisted host because its international, submit a Canny request for it to be added to the safe list.
4 Likes
ummm
increases by 300%
or
increases to 400% (of the previous size)
or just
quadruples
that’s crazy big.
on a full normal instance that’s up to 24GB of VRAM eaten by avatars only.
personally i’m currently manually hiding nearly everyone with over 100MB even despite having a decent 12GB graphics card, and it helps, and i believe users on average have like half of mine available.