Intro
Hello dear readers,
Currently, the HTTPService is either all-in or nothing. This is something that restricts multiple developers from properly relying on the service for multiple reasons. One of them being security concerns.
Current functionalty
Currently, there is only one option associated with HTTPService, which in my opinion is not good. And that option is to either enable it, or disable it completely. Although this has worked fine, more recently we have started to see more malicious plugins, models and other assets available for developers.
If you enable HTTPService now, it allows literally anything to connect to the outside world, although this seems good at first, if you think more about it, it’s not that good at all. Imagine you install a plugin from the marketplace, and without you knowing it, it copies everything you have in your place (scripts, buildings, models etc.) and sends it to a website. Or, some malicious code that you got from a model just secretly sends information to a website. Now it probably does not sound good at all.
Solution
A solution I’ve come up with, is a domain whitelist system with customizability. This can ensure developers can trust plugins more (even though they could be malicious). I believe you should be able to set which domains you can send requests to, because currently it’s not safe to trust all assets you use, and you can set restrictions on the service.
Developers should be able to have a whitelist-only system where they have to manually add what domains are allowed.