Plugins should be able to loadstring and make http requests, regardless of the datamodel's type or enabled properties

As a Roblox developer, it is currently too hard to make http requests or execute code in a plugin. There are many cases where either HttpService or loadstring aren’t available, forcing plugin developers to use hacky methods to simulate loadstring or stop making http requests.

HttpService Availability

Datamodel HttpEnabled Required Availability
Edit Mode Yes Yes
Server Yes Yes
Client - No

It’s impossible to make requests without HttpEnabled, and you can’t make any requests in the client under any circumstances.

Since individual http permissions for plugins are already a thing, I see no downside to implementing this.

Loadstring Availability

Datamodel LoadStringEnabled Required Availability
Edit Mode No Yes
Server Yes Yes
Client - No

Loadstring has it a bit easier, since it can be used in edit mode without LoadStringEnabled, but the server still has the same problems and loadstring is disabled in the client, forcing plugin developers to use workarounds like creating a new module and editing its source.

Some might say that “always having loadstring permissions is too dangerous”, but this is already the case, just with edit mode (where most of the damage to the game can be made), so it’s an invalid argument.

If Roblox is able to address this issue, it would improve my development experience because plugin developers would no longer need to use hacky and impractical methods to simulate loadstring or use plugin settings to cache http results. This would be especially useful for plugins like command bars that need to execute user-provided code or plugins like Reclass or gitblox, which rely on requests to be able to work.


Support - plugins need a consistent environment to run in.

Regarding loadstring(), a quick note: while I do think it should be available to plugins (so we can stop using our hacky workarounds), it should probably be behind a plugin permission just like script modification is now - it’s pretty dangerous if you don’t know what you’re doing.


Big support, my BuiltIn plugin that lets me operate console commands is implemented through debug.loadmodule.

This is very hacky since loadmodule shouldn’t really be used by developers.