Feature: allow wildcard in http allowed_host

[Mossaka]

We should have a allowed_http_hosts = ["*"] option to allow all all hosts. This is dangerous but in rare cases should be useful - like handling a webhook callback.

[lann]

While I can see the necessity of something like this, I think we need to be cautious here. Allowing unrestricted outbound connections is pretty powerful; by default this would include outbound connections to the host's local network, localhost, etc.

[Mossaka]

My thought is that we should clearly document this and put a big WARNING sign when user is using the "*" in their component.

[lann]

I would be happier if we made the string scarier 🙂 , maybe something like insecure:allow-all?

[Mossaka]

Will this be a string in allowed_http_hosts, or it deserves its own component field?

[lann]

I'm fine with it going in allowed_http_hosts (the : keeps it from being a valid host name). I think we'll want to adjust the fields in the future anyway for e.g. deislabs/wasi-experimental-http#87

[Mossaka]

updated the pr to have insecure:allow-all