Trusted URLs: Difference between revisions
From VRChat Wiki
Prismic247 (talk | contribs) Created page with "{{Noticebox/Official}} By default, worlds in VRChat cannot make requests to remote URLs unless the user enables the "Allow Untrusted_URLs" setting. This is an intentional measure for security purposes. There is however an allowlist of trusted domains that are the exception to this rule, and are specific to the type of content being loaded. Below are the different allowlist..." |
mNo edit summary |
||
| (11 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
{{Noticebox/Official}} | {{Noticebox/Official}} | ||
By default, worlds in [[Special:MyLanguage/VRChat|VRChat]] cannot make requests to | By default, [[Special:MyLanguage/Worlds|worlds]] in [[Special:MyLanguage/VRChat|VRChat]] cannot make requests to untrusted URLs unless the user enables the "[[Special:MyLanguage/Untrusted_URLs|Allow Untrusted URLs]]" [[Special:MyLanguage/Settings|setting]]. Public [[Special:MyLanguage/Instances|instances]] are additionally secured by a list of up to 10 hosts, which can be set by the world creator. This is an intentional measure for security purposes. There is however an allowlist of trusted domains that are the exception to this rule, and are specific to the type of content being loaded. Below are the different allowlists by type. | ||
== Video | == Video player allowlist == | ||
The following domains are allowlisted for | The following domains are allowlisted for public [https://creators.vrchat.com/worlds/udon/video-players/www-whitelist/ video] content in [[Special:MyLanguage/Video_players|video players]]. For the complete list used at runtime, which may change at any time, query the <code>urlList</code> property from the [[apiref:reference/get-config|config endpoint]] of the [[Special:MyLanguage/VRChat API|VRChat API]]. | ||
{| class="wikitable" | {| class="wikitable" | ||
!Service | !Service | ||
| Line 32: | Line 32: | ||
|<code>*.topaz.chat</code> | |<code>*.topaz.chat</code> | ||
|- | |- | ||
|Twitch | |Twitch | ||
|<code>*.twitch.tv</code>,<code>*.ttvnw.net</code>,<code>*.twitchcdn.net</code> | |<code>*.twitch.tv</code>,<code>*.ttvnw.net</code>,<code>*.twitchcdn.net</code> | ||
|- | |- | ||
|VRCDN | |[[Special:MyLanguage/Community:VRCDN|VRCDN]] | ||
|<code>*.vrcdn.live</code>,<code>*.vrcdn.video</code>,<code>*.vrcdn.cloud</code> | |<code>*.vrcdn.live</code>,<code>*.vrcdn.video</code>,<code>*.vrcdn.cloud</code> | ||
|- | |- | ||
| Line 48: | Line 48: | ||
|} | |} | ||
== String | == String loading allowlist == | ||
The following domains are allowlisted for | The following domains are allowlisted for [https://creators.vrchat.com/worlds/udon/string-loading string loading] using [[Special:MyLanguage/Udon|Udon]]. For the complete list used at runtime, which may change at any time, query the <code>stringHostUrlList</code> property from the [[apiref:reference/get-config|config endpoint]] of the [[Special:MyLanguage/VRChat API|VRChat API]]. | ||
{| class="wikitable" | {| class="wikitable" | ||
!Service | !Service | ||
!Domain | !Domain | ||
|- | |||
|DisBridge | |||
|<code>*.disbridge.com</code> | |||
|- | |- | ||
|GitHub | |GitHub | ||
| Line 62: | Line 65: | ||
|Pastebin | |Pastebin | ||
|<code>pastebin.com</code> | |<code>pastebin.com</code> | ||
|- | |||
|VRCDN | |||
|<code>*.vrcdn.cloud</code> | |||
|} | |} | ||
== Image | == Image loading allowlist == | ||
The following domains are allowlisted for | The following domains are allowlisted for [https://creators.vrchat.com/worlds/udon/image-loading image loading] using [[Special:MyLanguage/Udon|Udon]]. For the complete list used at runtime, which may change at any time, query the <code>imageHostUrlList</code> property from the [[apiref:reference/get-config|config endpoint]] of the [[Special:MyLanguage/VRChat API|VRChat API]]. | ||
{| class="wikitable" | {| class="wikitable" | ||
!Service | !Service | ||
| Line 72: | Line 78: | ||
|Discord | |Discord | ||
|<code>cdn.discordapp.com</code> | |<code>cdn.discordapp.com</code> | ||
|- | |||
|[[Special:MyLanguage/Community:DisBridge|DisBridge]] | |||
|<code>*.disbridge.com</code> | |||
|- | |- | ||
|Dropbox | |Dropbox | ||
|<code>dl.dropbox.com</code> | |<code>dl.dropbox.com</code>,<code>dl.dropboxusercontent.com</code> | ||
|- | |- | ||
|GitHub | |GitHub | ||
| Line 97: | Line 106: | ||
|<code>i.redd.it</code> | |<code>i.redd.it</code> | ||
|- | |- | ||
|Twitter | |X (formerly Twitter) | ||
|<code>pbs.twimg.com</code> | |<code>pbs.twimg.com</code> | ||
|- | |||
|VRCDN | |||
|<code>*.vrcdn.cloud</code> | |||
|- | |- | ||
|VRChat | |VRChat | ||
|<code>assets.vrchat.com</code> | |<code>assets.vrchat.com</code> | ||
|} | |} | ||
== See also == | |||
* [[Video players]] | |||
[[Category:Video_players]] | |||
Latest revision as of 02:30, 8 March 2026
It is reviewed and approved by the VRCWiki Team. Learn how to contribute to this page by reading the Contribution Guide.
By default, worlds in VRChat cannot make requests to untrusted URLs unless the user enables the "Allow Untrusted URLs" setting. Public instances are additionally secured by a list of up to 10 hosts, which can be set by the world creator. This is an intentional measure for security purposes. There is however an allowlist of trusted domains that are the exception to this rule, and are specific to the type of content being loaded. Below are the different allowlists by type.
Video player allowlist
The following domains are allowlisted for public video content in video players. For the complete list used at runtime, which may change at any time, query the urlList property from the config endpoint of the VRChat API.
| Service | Domain |
|---|---|
| Akamai CDN | vod-progressive.akamaized.net
|
| Facebook Video | *.facebook.com,*.fbcdn.net
|
| Google Video | *.googlevideo.com
|
| Hyperbeam | *.hyperbeam.com,*.hyperbeam.dev
|
| Mixcloud | *.mixcloud.com
|
| NicoNico | *.nicovideo.jp
|
| Soundcloud | soundcloud.com,*.sndcdn.com
|
| Topaz Chat | *.topaz.chat
|
| Twitch | *.twitch.tv,*.ttvnw.net,*.twitchcdn.net
|
| VRCDN | *.vrcdn.live,*.vrcdn.video,*.vrcdn.cloud
|
| Vimeo | *.vimeo.com
|
| Youku | *.youku.com
|
| YouTube | *.youtube.com,youtu.be
|
String loading allowlist
The following domains are allowlisted for string loading using Udon. For the complete list used at runtime, which may change at any time, query the stringHostUrlList property from the config endpoint of the VRChat API.
| Service | Domain |
|---|---|
| DisBridge | *.disbridge.com
|
| GitHub | *.github.io
|
| GitHub Gist | gist.githubusercontent.com
|
| Pastebin | pastebin.com
|
| VRCDN | *.vrcdn.cloud
|
Image loading allowlist
The following domains are allowlisted for image loading using Udon. For the complete list used at runtime, which may change at any time, query the imageHostUrlList property from the config endpoint of the VRChat API.
| Service | Domain |
|---|---|
| Discord | cdn.discordapp.com
|
| DisBridge | *.disbridge.com
|
| Dropbox | dl.dropbox.com,dl.dropboxusercontent.com
|
| GitHub | *.github.io
|
| ImageBam | images4.imagebam.com
|
| ImgBB | i.ibb.co
|
| imgbox | images2.imgbox.com
|
| Imgur | i.imgur.com
|
| Postimages | i.postimg.cc
|
i.redd.it
| |
| X (formerly Twitter) | pbs.twimg.com
|
| VRCDN | *.vrcdn.cloud
|
| VRChat | assets.vrchat.com
|
