[VRChat Request] Regarding local persistence #1063

New Issue

MrUnknownDE · 2026-04-05T16:49:30+02:00

MrUnknownDE commented

2026-04-05 16:49:30 +02:00

Originally created by @dtupper on 6/5/2023

Hello VRCX!

We see that you're planning on implementing a form of persistence that relies on using Udon remote strings to access local URLs.

Being able to access local URLs isn't good security practice, and generally, we don't want to allow this. In an upcoming security update, we had already planned to block most if not all bogon IP networks.

But then, we learned about this PR. This security change would break VRCX's implementation in that PR. We're also aware that'd it break some other systems, like Varneon's Udonity.

However, we know persistence is really useful and highly desired. As it happens, a couple of types of persistence are coming very soon, including a form of persistence that would implement the features this PR provides. We're looking at 1.5 to 3 months, maybe. These features are yet to be announced so timelines can still move. You're getting a bit of a preview here.

We are concerned that if the VRCX form of persistence becomes popular (as it probably would be, it's pretty convenient), many worlds will then be affected by the security changes. Those worlds will break when we make this change, affecting a large number of users and causing them to lose data. Furthermore, users may accrue large amounts of VRCX-brand local persistence data that won't migrate to the native implementation. As this would be pretty terrible for a user to experience, we wanted to contact you as soon as we learned about this.

As such, we'd like to ask you to refrain from implementing this feature as a baseline feature. We'd also request that you discourage world developers from implementing it and then encouraging users to install unstable versions of VRCX, as shown below:

I'll be glad to answer questions on this issue if needed! You can also contact me on Discord. My username is tupper.

Thank you!

*Originally created by @dtupper on 6/5/2023* Hello VRCX! We see that [you're planning on implementing a form of persistence](https://github.com/vrcx-team/VRCX/pull/553) that relies on using Udon remote strings to access local URLs. Being able to access local URLs isn't good security practice, and generally, we don't want to allow this. In an upcoming security update, we had already planned to block most if not all [bogon IP networks](https://www.team-cymru.com/bogon-reference-http). But then, we learned about this PR. This security change would break VRCX's implementation in that PR. We're also aware that'd it break some other systems, like Varneon's Udonity. However, we know persistence is really useful and highly desired. **As it happens, a couple of types of persistence are coming very soon, including a form of persistence that would implement the features this PR provides. We're looking at 1.5 to 3 months, _maybe_.** These features are yet to be announced so timelines can still move. You're getting a bit of a preview here. We are concerned that if the VRCX form of persistence becomes popular (as it probably would be, it's pretty convenient), many worlds will then be affected by the security changes. Those worlds will break when we make this change, affecting a large number of users and causing them to lose data. Furthermore, users may accrue large amounts of VRCX-brand local persistence data that won't migrate to the native implementation. As this would be _pretty terrible_ for a user to experience, we wanted to contact you as soon as we learned about this. As such, **we'd like to ask you to refrain from implementing this feature** as a baseline feature. We'd also request that you discourage world developers from implementing it and then encouraging users to install unstable versions of VRCX, as shown below: ![image](https://github.com/vrcx-team/VRCX/assets/5649747/f1f2d470-e8c0-472e-9bb5-8f5939c17c05) I'll be glad to answer questions on this issue if needed! You can also contact me on Discord. My username is `tupper`. Thank you!

Sign in to join this conversation.

No Label Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Feature Stale Stale Stale Stale Stale Stale Stale Stale Stale Stale Stale Stale Stale Stale Stale Stale

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/VRCX#1063