Local scripts cannot require PUBLIC modules from the site

Requiring a module from the site (i.e. require(182880820)), regardless of if it is public or private results in an error. I understand disallowing requiring PRIVATE modules from local scripts, as the source shouldn’t be available to the client, but if the module is PUBLIC, there should be no reason to disallow the use of that module in a local script.

It’s like this to prevent loading of malicious modules, allowing in script injection. Plus, the LocalScript would not be able to interpret it due to clients only being able to execute RBXLua bytecode now.

If that’s the case then why are local scripts able to require in-game modules?

I assume the scripts are precompiled to bytecode

If I remember, modules are inserted by the InsertService, THEN if the module “MainModule” exists, it requires it. The fact the InsertService is disabled for LocalScripts makes that impossible.

Actually, InsertService isn’t disabled for local scripts. It’s only restricted to “trusted” (ROBLOX) assets and models created (not owned), with server scripts being able to insert any public or creator-owned model. Although, I would actually prefer if what you said was the case though.

This would have too much vulnerabilities.

What if they hash the source?
Sure, let me first upload a MS myself and require it, getting the source including the hash.
RIP security

What if it’s hashed per game?
That could actually work… but still very difficult to make very secure

It’s not a bug. It’s a security feature.

Security is an issue, but that can be easily be rectified by using the same restrictions local InsertService has on it since they’re essentially the same thing: modules created (not just owned) by the place creator or trusted assets.

If implemented properly, it would not be a security issue because the ModuleScript would be replicated down to clients, probably through InsertService, but already in bytecode form. The main issue is whether the place creator’s copylocked modules should be requirable from the client.

Actually this is a security concern because it would allow clients to run arbitrary code on any game if they could require whichever public modules they want. Right now they’re restricted to the ModuleScripts that are inserted by the game server or are already present in the game server.