feat: single point for security gate

Author: NathanWalker

test-app/runtime/src/main/cpp/HMRSupport.cpp

@@ -210,10 +210,23 @@ std::string CanonicalizeHttpUrlKey(const std::string& url) {
 }
 
 // Minimal HTTP fetch using java.net.* via JNI. Returns true on success (2xx) and non-empty body.
+// Security: This is the single point of enforcement for remote module loading.
+// In debug mode, all URLs are allowed. In production, checks security.allowRemoteModules
+// and security.remoteModuleAllowlist from the app config.
 bool HttpFetchText(const std::string& url, std::string& out, std::string& contentType, int& status) {
   out.clear();
   contentType.clear();
   status = 0;
+  
+  // Security gate: check if remote module loading is allowed before any HTTP fetch.
+  if (!IsRemoteUrlAllowed(url)) {
+    status = 403; // Forbidden
+    if (IsScriptLoadingLogEnabled()) {
+      DEBUG_WRITE("[http-esm][security][blocked] %s", url.c_str());
+    }
+    return false;
+  }
+  
   try {
     JEnv env;
 

test-app/runtime/src/main/cpp/ModuleInternalCallbacks.cpp

@@ -24,22 +24,6 @@ extern std::unordered_map<std::string, v8::Global<v8::Module>> g_moduleRegistry;
 // Forward declaration used by logging helper
 std::string GetApplicationPath();
 
-// Logging flag now provided via DevFlags for fast cached access
-
-// Security gate
-// In debug mode, all URLs are allowed. In production, checks security.allowRemoteModules and security.remoteModuleAllowlist
-static inline bool IsHttpUrlAllowedForLoading(const std::string& url) {
-  return IsRemoteUrlAllowed(url);
-}
-
-// Helper to create a security error message for blocked remote modules
-static std::string GetRemoteModuleBlockedMessage(const std::string& url) {
-  if (!IsRemoteModulesAllowed()) {
-    return "Remote ES modules are not allowed in production. URL: " + url +
-           ". Enable via security.allowRemoteModules in nativescript.config.ts";
-  }
-  return "Remote URL not in security.remoteModuleAllowlist: " + url;
-}
 
 // Diagnostic helper: emit detailed V8 compile error info for HTTP ESM sources.
 static void LogHttpCompileDiagnostics(v8::Isolate* isolate,
@@ -388,17 +372,8 @@ v8::MaybeLocal<v8::Module> ResolveModuleCallback(v8::Local<v8::Context> context,
     }
 
     // HTTP(S) ESM support: resolve, fetch and compile from dev server
+    // Security: HttpFetchText gates remote module access centrally.
     if (spec.rfind("http://", 0) == 0 || spec.rfind("https://", 0) == 0) {
-        // Security gate: check if remote module loading is allowed
-        if (!IsHttpUrlAllowedForLoading(spec)) {
-            std::string msg = GetRemoteModuleBlockedMessage(spec);
-            if (IsScriptLoadingLogEnabled()) {
-                DEBUG_WRITE("[http-esm][security][blocked] %s", msg.c_str());
-            }
-            isolate->ThrowException(v8::Exception::Error(ArgConverter::ConvertToV8String(isolate, msg)));
-            return v8::MaybeLocal<v8::Module>();
-        }
-        
         std::string canonical = tns::CanonicalizeHttpUrlKey(spec);
         if (IsScriptLoadingLogEnabled()) {
             DEBUG_WRITE("[http-esm][resolve] spec=%s canonical=%s", spec.c_str(), canonical.c_str());
@@ -893,17 +868,8 @@ v8::MaybeLocal<v8::Promise> ImportModuleDynamicallyCallback(
     }
 
     // Handle HTTP(S) dynamic import directly
+    // Security: HttpFetchText gates remote module access centrally.
     if (!spec.empty() && isHttpLike(spec)) {
-        // Security gate: check if remote module loading is allowed
-        if (!IsHttpUrlAllowedForLoading(spec)) {
-            std::string msg = GetRemoteModuleBlockedMessage(spec);
-            if (IsScriptLoadingLogEnabled()) {
-                DEBUG_WRITE("[http-esm][dyn][security][blocked] %s", msg.c_str());
-            }
-            resolver->Reject(context, v8::Exception::Error(ArgConverter::ConvertToV8String(isolate, msg))).Check();
-            return scope.Escape(resolver->GetPromise());
-        }
-        
         std::string canonical = tns::CanonicalizeHttpUrlKey(spec);
         if (IsScriptLoadingLogEnabled()) {
             DEBUG_WRITE("[http-esm][dyn][resolve] spec=%s canonical=%s", spec.c_str(), canonical.c_str());