Option to allow HTTP request to host running the current application

[radu-matei]

I am trying to build the following scenario: I have two components, and am trying to make requests from one to the other.

Because I don't know the actual URL the application will be available at before hand, every time the application is moved I need to change the allowed_http_hosts configuration if I want to continue to be able to send request to another component of the same application.

There are two options I see:

• always allow requests to component of the same application
• similar to the insecure:allow-all option, add a self option

[radu-matei]

Expanding on this issue a bit more, here is where I am currently at:

• requests to components of the same application should be allowed by default
• we should enable outbound HTTP calls to /component-1 to expand to https://<full url where the application is running at>/component-1

[michelleN]

requests to components of the same application should be allowed by default

Do we want to restrict which components can requests to each other in the future or do we recommend people use the Spin application boundary for that (i.e if you want to restrict access, create a new Spin app for that component)?

[itowlson]

Arguably the component model way of looking at the world is "if you want to use the thing then you have to declare the thing as an import"; on the other hand, for HTTP, we do permissions at the host level, which would suggest the application as a boundary.