There have been several past discussions regarding the ability to dynamically construct VRCUrl objects, but most are now outdated and remain unresolved.
Currently, users have found workarounds by predefining many VRCUrl instances and transmitting them byte by byte — a method that demonstrates the restriction can be circumvented in practice.
The restriction is commonly believed to stem from security concerns, but this justification feels increasingly outdated, especially given how significantly it limits creative expression in world development.
Would the VRChat team consider revisiting this limitation?
Allowing dynamic construction of VRCUrl, even for untrusted URLs, would greatly expand the possibilities for interactive and innovative world creation.
I agree 100% and was just going to post another request on the suggestions site.
What is plainly obvious is that there is no security and virtually no other concern addressed by this limitation. Let me explain what I am doing and end up having to tell players.
I have a list of dynamically produced video URLs. These are simple strings. The user clicks on one and it appears in an “input control”. The user clicks the copy icon on the pop-up keyboard. They then close that keyboard (ok or cancel it doesn’t matter). The URL is now in their copy buffer.
They then click on a VRC URL input and another keyboard appears. They simply press the paste icon and press OK.
It doesn’t matter what the URL is, nobody validates it. Players understand it is a limitation of VRC and just follow the instructions. What could they do to preview the link in any case?
All this because we can’t set the URL property of the VRC URL Input directly. It requires a “player” who is often me. Explaining the magic isn’t always worth the effort. I’m also stuck explaining that “it isn’t me” VRChat just requires these steps.
Nothing is made any more secure by using this copy/paste scenario.
The VRChat community has made some many useful APIs over the years and especially since String Downloading became a thing. I think VRC devs are being too limiting on creators and users under the excuse of safety.
Like what if both me, as a developer, and my users want to enjoy custom web based functions?
The only real and meaningful way is to create a get() api route with overly general data or a dump of a data table. It’s so caveman like, and not for good reasons.
There is no body content, no query, no custom headers…just a get request.
As far as the security argument goes, everyone I know has “Allow unsafe URLs“ turned on.
That is what VRChat needs to address first, a proper users whitelist flow. Then allow worlds to make custom requests if the users allows it. This shouldn’t be up to VRChat alone to decide.
I really hope the dev team reviews this and gives us, both world creators and users, more agency over what can and can’t be done. As it stands the setting is a black or white approach.
It may have been mentioned before but the initial problems are that the permission is granted one-time and at the account level. Other platforms (NEOS comes to mind) but also AltSpaceVR asked each time the user entered the world and it only applied to that world. It was a simple dialog that one could accept or reject.
Yes, it means approving it each time but it serves as a reminder that a player has given permission. It also means that they are trusting the world builder and/or host not “every world in every situation”.
If someone (to make up a scenario) is present in a world and showing off-color but permitted videos the only way I am aware of to stop it is to turn off trusted URLs for all worlds at all times. Such a solution requires turning it on again as that person leaves and/or you join another world.
It isn’t “secure”. Nothing that I am aware of prevents any video (hosted on Youtube or elsewhere) from playing. Anyone present can enter one and the URL can be hardcoded into the world requiring nothing more than a click of a button.