feat: single point for security gate

Author: NathanWalker

NativeScript/runtime/HMRSupport.mm

@@ -240,6 +240,16 @@ void InitializeImportMetaHot(v8::Isolate* isolate,
 }
 
 bool HttpFetchText(const std::string& url, std::string& out, std::string& contentType, int& status) {
+  // Security gate: check if remote module loading is allowed before any HTTP fetch.
+  // This is the single point of enforcement for all HTTP module loading.
+  if (!IsRemoteUrlAllowed(url)) {
+    status = 403; // Forbidden
+    if (IsScriptLoadingLogEnabled()) {
+      Log(@"[http-esm][security][blocked] %s", url.c_str());
+    }
+    return false;
+  }
+  
   @autoreleasepool {
     NSURL* u = [NSURL URLWithString:[NSString stringWithUTF8String:url.c_str()]];
     if (!u) { status = 0; return false; }

NativeScript/runtime/ModuleInternalCallbacks.mm

@@ -96,28 +96,11 @@ static inline bool EndsWith(const std::string& value, const std::string& suffix)
   return std::equal(suffix.rbegin(), suffix.rend(), value.rbegin());
 }
 
-// HTTP ESM loader helpers
-
 static inline bool StartsWith(const std::string& s, const char* prefix) {
   size_t n = strlen(prefix);
   return s.size() >= n && s.compare(0, n, prefix) == 0;
 }
 
-// Security gate
-// In debug mode, all URLs are allowed. In production, checks security.allowRemoteModules and security.remoteModuleAllowlist
-static inline bool IsHttpUrlAllowedForLoading(const std::string& url) {
-  return IsRemoteUrlAllowed(url);
-}
-
-// Helper to create a security error message for blocked remote modules
-static std::string GetRemoteModuleBlockedMessage(const std::string& url) {
-  if (!IsRemoteModulesAllowed()) {
-    return "Remote ES modules are not allowed in production. URL: " + url +
-           ". Enable via security.allowRemoteModules in nativescript.config";
-  }
-  return "Remote URL not in security.remoteModuleAllowlist: " + url;
-}
-
 
 static v8::MaybeLocal<v8::Module> CompileModuleFromSource(v8::Isolate* isolate, v8::Local<v8::Context> context,
                                                           const std::string& code, const std::string& urlStr) {
@@ -741,17 +724,8 @@ static bool IsDocumentsPath(const std::string& path) {
   // ── Early absolute-HTTP fast path ─────────────────────────────
   // If the specifier itself is an absolute HTTP(S) URL, resolve it immediately via
   // the HTTP loader and return before any filesystem candidate logic runs.
+  // Security: HttpFetchText gates remote module access centrally.
   if (StartsWith(spec, "http://") || StartsWith(spec, "https://")) {
-    // Security check: block if remote modules not allowed
-    if (!IsHttpUrlAllowedForLoading(spec)) {
-      std::string msg = GetRemoteModuleBlockedMessage(spec);
-      if (IsScriptLoadingLogEnabled()) {
-        Log(@"[resolver][security] blocked remote module: %s", spec.c_str());
-      }
-      isolate->ThrowException(v8::Exception::Error(tns::ToV8String(isolate, msg.c_str())));
-      return v8::MaybeLocal<v8::Module>();
-    }
-    
     std::string key = CanonicalizeHttpUrlKey(spec);
     // Added instrumentation for unified phase logging
     Log(@"[http-esm][compile][begin] %s", key.c_str());
@@ -850,7 +824,7 @@ static bool IsDocumentsPath(const std::string& path) {
   // ("./" or "../") or root-absolute ("/") specifiers should resolve against the
   // referrer's URL, not the local filesystem. Mirror browser behavior by using NSURL
   // to construct the absolute URL, then return an HTTP-loaded module immediately.
-  // Security: Gated by IsHttpUrlAllowedForLoading.
+  // Security: HttpFetchText gates remote module access centrally.
   bool referrerIsHttp = (!referrerPath.empty() && (StartsWith(referrerPath, "http://") || StartsWith(referrerPath, "https://")));
   bool specIsRootAbs = !spec.empty() && spec[0] == '/';
   if (referrerIsHttp && (specIsRelative || specIsRootAbs)) {
@@ -871,16 +845,7 @@ static bool IsDocumentsPath(const std::string& path) {
       }
     }
     if (!resolvedHttp.empty() && (StartsWith(resolvedHttp, "http://") || StartsWith(resolvedHttp, "https://"))) {
-      // Security check: block if remote modules not allowed
-      if (!IsHttpUrlAllowedForLoading(resolvedHttp)) {
-        std::string msg = GetRemoteModuleBlockedMessage(resolvedHttp);
-        if (IsScriptLoadingLogEnabled()) {
-          Log(@"[resolver][security] blocked remote module (rel): %s", resolvedHttp.c_str());
-        }
-        isolate->ThrowException(v8::Exception::Error(tns::ToV8String(isolate, msg.c_str())));
-        return v8::MaybeLocal<v8::Module>();
-      }
-      
+      // Security: HttpFetchText gates remote module access centrally.
       if (IsScriptLoadingLogEnabled()) {
         Log(@"[resolver][http-rel] base=%s spec=%s -> %s", referrerPath.c_str(), spec.c_str(), resolvedHttp.c_str());
       }
@@ -1045,17 +1010,8 @@ static bool IsDocumentsPath(const std::string& path) {
   std::string absPath;
 
   // If the specifier is an HTTP(S) URL, fetch via HTTP loader and return
+  // Security: HttpFetchText gates remote module access centrally.
   if (StartsWith(spec, "http://") || StartsWith(spec, "https://")) {
-    // Security check: block if remote modules not allowed
-    if (!IsHttpUrlAllowedForLoading(spec)) {
-      std::string msg = GetRemoteModuleBlockedMessage(spec);
-      if (IsScriptLoadingLogEnabled()) {
-        Log(@"[resolver][security] blocked remote module: %s", spec.c_str());
-      }
-      isolate->ThrowException(v8::Exception::Error(tns::ToV8String(isolate, msg.c_str())));
-      return v8::MaybeLocal<v8::Module>();
-    }
-    
     std::string key = CanonicalizeHttpUrlKey(spec);
     if (IsScriptLoadingLogEnabled()) {
       Log(@"[http-esm][compile][begin] %s", key.c_str());
@@ -1141,7 +1097,7 @@ static bool IsDocumentsPath(const std::string& path) {
 
     // If a candidate accidentally embeds a collapsed HTTP URL like '/app/http:/host/...',
     // reconstruct the HTTP URL and resolve via the HTTP loader instead of touching the filesystem.
-    // Security: Gated by IsHttpUrlAllowedForLoading.
+    // Security: HttpFetchText gates remote module access centrally.
     auto rerouteHttpIfEmbedded = [&](const std::string& p) -> bool {
       size_t pos1 = p.find("/http:/");
       size_t pos2 = p.find("/https:/");
@@ -1156,16 +1112,6 @@ static bool IsDocumentsPath(const std::string& path) {
       }
       if (!(StartsWith(tail, "http://") || StartsWith(tail, "https://"))) return false;
 
-      // Security check: block if remote modules not allowed
-      if (!IsHttpUrlAllowedForLoading(tail)) {
-        if (IsScriptLoadingLogEnabled()) {
-          Log(@"[resolver][security] blocked embedded remote module: %s", tail.c_str());
-        }
-        std::string msg = GetRemoteModuleBlockedMessage(tail);
-        isolate->ThrowException(v8::Exception::Error(tns::ToV8String(isolate, msg.c_str())));
-        return false;
-      }
-      
       if (IsScriptLoadingLogEnabled()) { Log(@"[resolver][http-embedded] %s -> %s", p.c_str(), tail.c_str()); }
       std::string key = CanonicalizeHttpUrlKey(tail);
       auto itExisting = g_moduleRegistry.find(key);
@@ -1970,17 +1916,8 @@ static bool IsDocumentsPath(const std::string& path) {
     }
 
     // If spec is an HTTP(S) URL, try HTTP fetch+compile directly
+    // Security: HttpFetchText gates remote module access centrally.
     if (!normalizedSpec.empty() && (StartsWith(normalizedSpec, "http://") || StartsWith(normalizedSpec, "https://"))) {
-      // Security check: block if remote modules not allowed
-      if (!IsHttpUrlAllowedForLoading(normalizedSpec)) {
-        std::string msg = GetRemoteModuleBlockedMessage(normalizedSpec);
-        if (IsScriptLoadingLogEnabled()) {
-          Log(@"[dyn-import][security] blocked remote module: %s", normalizedSpec.c_str());
-        }
-        resolver->Reject(context, v8::Exception::Error(tns::ToV8String(isolate, msg.c_str()))).FromMaybe(false);
-        return scope.Escape(resolver->GetPromise());
-      }
-      
       if (IsScriptLoadingLogEnabled()) {
         Log(@"[dyn-import][http-loader] trying URL %s", normalizedSpec.c_str());
       }