Consider easing up the restrictions on local plugins

As a Roblox developer, it is currently too hard to modify Roblox Studio’s behavior, extend its functionality and create better integration with third-party tooling.

I was always a big Roblox Studio tinkerer, so I still remember the disappointment I felt when Roblox decided to only allow signed builtins to be loaded back in 2021.

On one hand, it was understandable. There were some private APIs which had obvious security risks and just had no good reason to be exposed. However, I was expecting locked down functionality to progressively make its way into our hands again.

Fast forward to late 2023, and this has clearly not happened. As far as I’ve noticed, there have actually been zero additions to the API of user widgets, even local ones.

We still can’t create prompts (via qwidget), we still can’t take meaningful control of the cursor and we can’t even make standalone plugins!

This lack of trust not only hurts advanced tooling and workflows, but also hurts community initiatives to bring Roblox into Linux and other unsupported operating systems.

Roblox Studio has always been a particularly tricky program to get working right. We currently have a major issue in wayland sessions which prevents the edit mode camera from rotating properly, effectively invalidating studio’s usability there.

After a long period of brainstorming at Vinegar, we found a way of working around this issue. By using a studio plugin which closely coordinates with vinegar, we’re able to detect when the user is rotating the camera in the viewport, create an in-engine “stand-in” cursor, and hide the real hardware cursor. This is enough to fix the issue, as xwayland locks invisible cursors properly.
The fact we’ve managed to pull this off in spite of the horrible limitations of the plugin api just goes to show the kind of potential it has.

In other words, the less Roblox arbitrarily locks down their API, the easier it is for the community to continue providing free, high-quality and open-source ways of running Roblox in unsupported (yet increasingly relevant) platforms.

We plan to use studio’s plugin API to increase its integration with Vinegar (and Linux), with the ideas of native linux file prompts and dynamic theming (based on the OS’s own theme) being just a few of the ones being considered and tested.

Unfortunately, we usually run into edgecases we can’t solve, simply because Roblox never got around to opening up that one obvious method or feature.

For example: While we can actually dynamically change studio’s theme, we can’t do so on the homepage, because our plugin hasn’t loaded that early. There’s no way to fix this because standalone plugins must be signed by Roblox, otherwise they won’t load.

Some functionality being missing makes sense in the context of the plugin market, but not when the user is explicitly dragging the code they wrote into a folder in their computer, or running studio via a third-party bootstrapper (it can do very nasty things, regardless of plugin APIs).

While there are some parts of the API which allow dangerous actions (such as doing actions as the user’s account in their behalf), a lot of them are completely harmless and pose no risk to the end user, especially in the context of a locally loaded plugin (not just something downloaded out of the plugin marketplace!)

It’s time for Roblox to make a full audit of their restricted roblox-only plugin APIs and evaluate which parts of it are actually security dangers for local plugins. Roblox Studio is a SDK, there’s no need to arbitrarily lock down its functionality.

If Roblox is able to address this issue, it would improve my development experience because it’d allow for myself (and the community) to make improvements and fill certain gaps in our development workflow, regardless of Roblox’s strategical interest on them.

Less restrictions translates into…

• Better user experience in unofficial platforms

• Better functionality for community tooling, regardless of Roblox’s interest (Rojo, local assets, etc…)

This is mutually beneficial. The community gets the functionality they want, while Roblox doesn’t have to worry about investing on something they have no interest in.

I can’t speak for the entire developer community, but as a major contributor of Vinegar, I can say that the Roblox FOSS community would love to coordinate and collaborate with Roblox engineers more often. But to do that, we need to be taken more seriously! There’s only so much we can do when every advanced power feature we rely on is removed at a snap of a finger, often with little to no recourse, and is just never seen again.

FOSS tooling is, more than ever, a fundamental part of development on Roblox and strengthens the entire platform.
As much as Roblox has improved in the way they deal with it, situations like the release channels being plugged off the wall without warning and arbitrary restrictions in studio show that we still have a long path ahead of us.

I feel like if this went through, there would have to be another trust level added. One of the reasons I believe BuiltInPlugins were locked down was because of the UGC additions and APIs and also because of RobloxScriptSecurity functions being accessible at that trust level.

However, that could be alleviated by decreasing trust for some RobloxScriptSecurity functions to PluginSecurity. But that wouldn’t be sufficient for some workflows, and the maintainability and extra step of security considerations vs. making a non security tested function RobloxScriptSecurity for primarily use for hero apps.

This seems fine to me, as long as:

1. Extended permissions and functionality are exposed.
2. Plugins which use said functionality are loadable by the end user. (Note: This does not have to be existing local plugins folder either! It could be a separate one, for all I care.)

As long as there’s some path, even if it’s manual, for the user to confirm their trust on a extended plugin, the way Roblox goes around exposing them doesn’t matter.

While the security argument is understandable, there’s surely a reasonable way for the user to say “yes, I’m fine with using this plugin which is equipped with QWidgets”.

Like come on, local plugins can already send requests online, silently and without being prompted. What’s the big deal with them being allowed to use Qwidgets or running on studio’s home page?

Roblox could at least provide us feedback on why certain functionality is not exposed to us, instead of slowly removing the only viable way to use it and then turn a deaf ear on our pleads to access it again.

This isn’t about built-ins per say, they just happened to be the best (and only) reliable way of accessing some of studio’s advanced plugin APIs and functionalities. I just want to get access to some of those methods again (the way it’s exposed is up to Roblox, it just gotta be exposed somehow!)

We share this vision of every plugin could (should?) be a standalone plugin! Our big mission for my team in particular in 2024 is to make Studio easier to use and much easier extend.

There’s a lot of pieces required to get to what you’re describing and our team is making progress where we can. Namely a more modular architecture, a more componentized UI, and plugin infrastructure that supports capability or access declarations.

Often we are bundling the foundational work needed to get there with other features we are working on. For that reason, it’s tough to give a singular ETA on this specific outcome.

But hopefully it helps to know we hear you, agree with you, and we are moving in that direction.

Wow, that’s awesome to hear!

I’m glad that there’s a roadmap and that the plugin framework will be such a big focus next year. I’ll be looking forward to where this goes!

Studio plugins, as limited as they are, are extremely powerful when paired with an external helper program. Bringing in standalone plugins and extended permissions will no doubt improve on their current limitations.

Any possible ETA on this?

I was attempting to modify the AnimationClipEditor to have visual indicators if it goes through a Marker. But due to the GUI being locked out and no easy way to edit the source-code and with no BuiltInPlugin support – It becomes a trivial task.

I wonder why standalone support was dropped the first time round it was added.

Theres some APIs involving sharing state between the various plugin instances that would be extremely helpful for this specific usecase (or even talking between the edit state plugin and run state plugins).

If standalones are being developed locally, it would be nice if we could force view the explorer in the standalone state (maybe behind a flag or setting), since currently you would either have to render your own, or constantly read a log file on GetChildren calls.

No ETA yet but progress is happening — much of it as a part of the work we’ve done for the Next Gen Studio UI. Once we get this massive set of changes merged in and the community tells us we’re headed in the right direction, we can do some more focused work here.

I don’t have the historical knowledge here, unfortunately. But everyone agrees the plugin workflows are far more painful than they need to be and we’ll be in a much better position to improve those later this year.