Filtering Enabled plugins

As a Roblox developer, it is currently too hard to completely secure plugins in Roblox Studio.

Making plugins is a valuable tool for developers, however I’m surprised that there aren’t more ways to utilize them. One way to advance and promote creating plugins is to allow monetization and team plugins. I will touch on this later in the post.

You might ask yourself, why Filtering Enabled for plugins? Well, to simply put it: Security. Right now it’s extremely easy to copy plugins from other developers. If a server side of the plugin was run as a middle man between the place and the user, prevention of copy + re-uploading plugins would be possible.

As you would also know by now, team create has become widely used when creating games, which means more collaborative tools are required to make the process smoother. Allowing scripts to communicate to each other is currently difficult, not impossible though. Plugins like these are extremely handy and allow for information to be displayed to each user. One example I can think off the top of my head is a multiplayer script editor plugin.

Monetization is another factor to consider. This may be a whole new concept to you, but it’s not new. Google allows you to download extensions for paid money. You may not want to force users to pay for your plugin, but you could decide to add extra features to a plugin if a user contains a certain game-pass/etc. Back to security, it’s widely known that you can never trust the client. If we use our client to detect game-pass / t-shirt purchases, the local player can just lie about having it. This wouldn’t even require an exploit either, someone could just edit the plugins code to allow the extra features.

Adding server side support would block attempts at ‘fake purchases’ in whole. Server side would act as the middle man as explained before. The server could check for the purchase before passing on a script or returning a value. This would make most plugins alike much easier to create. The filtering enabled support would also better support client to client via server communication as well as client - server and server - client

How I suggest implementing the plugins:
I suggest for an option such as ‘Publish as Server Side Plugin’

This is how it would work:
1.Publishing plugins is the same as you’re used to: click the option called ‘Publish as Plugin…’
2.After you’ve published the plugin, you can now chose another folder in your place containing all of the server side scripts and upload as ‘Server side plugin’
3. When uploading a server side plugin, you chose the plugin you wish to apply a server side to. If a plugin doesn’t have a server side, it will stay the same as the strange Client-Server behavior.

Uploading the regular/ client side plugin:

image484×692 80.9 KB

Uploading a server side of a plugin:

image473×680 70.8 KB

I understand adding this feature would take a lot of work, but it would be incredibly handy for us developers. If there are any complications, please explain what they are in the reply section.

This makes no sense because in order for plugins to run, they need to be executed in the client’s studio.

I vaguely understand where you are coming from but the idea doesn’t make much sense

Yeah
No
Bad

• Every edit session would have to become team create esqe, as in a server would be involved. I feel that is a waste of VMs that could be running actual games. (You would also have to publish a local file in order to get one of these sessions running in the first place)

• Plugins are intended to help developers make games. You’re not helping by hiding how you’re helping.

These plugins are given absolute permissions over a developer’s place. Developers should be free to inspect and modify the plugins they install to make sure they aren’t malicious.

You should not be viewing the users of your plugin as an adversary to be defeated. Especially in this hypothetical world where they are paying customers.

That’s just the principle of the thing. Your idea for the implementation doesn’t line up to reality at all. Except for Team Create, there’s no server that’s active while in edit mode.

These plugins are given absolute permissions over a developer’s place. Developers should be free to inspect and modify the plugins they install to make sure they aren’t malicious.

I understand what you’re saying, but if a user finds that a plugin is malicious, they can uninstall it. It’s a bit like Roblox games such as scams, if they are malicious, you either leave the game or fall for the scam. I mean, you could allow the server side to be seen through the plugin if that helps, but there should still be a secure way to detect purchases without having a client maliciously edit the code. Also, I just want to ask about the difference in a Roblox game as you can’t see server scripts in those.

You should not be viewing the users of your plugin as an adversary to be defeated. Especially in this hypothetical world where they are paying customers.

There isn’t much motive to create plugins at the moment because there aren’t many benefits that come out of it. I believe monetization would boost the will to create useful plugins for everyone.

That’s just the principle of the thing. Your idea for the implementation doesn’t line up to reality at all. Except for Team Create, there’s no server that’s active while in edit mode.

This was an example of how I thought of implementing it, if there’s another way that all would be comfortable with, I and others would accept it just fine. Even just being able to pay for plugins would be helpful.

I do see some of the flaws now that you have pointed them out,I do think that some of them can be fixed on implementation though.