There have been several past discussions regarding the ability to dynamically construct VRCUrl objects, but most are now outdated and remain unresolved.
Currently, users have found workarounds by predefining many VRCUrl instances and transmitting them byte by byte — a method that demonstrates the restriction can be circumvented in practice.
The restriction is commonly believed to stem from security concerns, but this justification feels increasingly outdated, especially given how significantly it limits creative expression in world development.
Would the VRChat team consider revisiting this limitation?
Allowing dynamic construction of VRCUrl, even for untrusted URLs, would greatly expand the possibilities for interactive and innovative world creation.
1 Like
I agree 100% and was just going to post another request on the suggestions site.
What is plainly obvious is that there is no security and virtually no other concern addressed by this limitation. Let me explain what I am doing and end up having to tell players.
I have a list of dynamically produced video URLs. These are simple strings. The user clicks on one and it appears in an “input control”. The user clicks the copy icon on the pop-up keyboard. They then close that keyboard (ok or cancel it doesn’t matter). The URL is now in their copy buffer.
They then click on a VRC URL input and another keyboard appears. They simply press the paste icon and press OK.
It doesn’t matter what the URL is, nobody validates it. Players understand it is a limitation of VRC and just follow the instructions. What could they do to preview the link in any case?
All this because we can’t set the URL property of the VRC URL Input directly. It requires a “player” who is often me. Explaining the magic isn’t always worth the effort. I’m also stuck explaining that “it isn’t me” VRChat just requires these steps.
Nothing is made any more secure by using this copy/paste scenario.