Only allowed urls can be accessed on the plugins. Allow list is per plugin.
Basically on the configuration file for each plugin, users should specify any domain they wish to send requests to. If they try to send a request to a domain which is not specified there, the request should be denied.
For this to work, the Runtime should have the configuration for all the plugins.
Also, today we don't have a way to return error to users, we can just add for now a error field on HttpResponse as a quick workaround or we can modify the response to an object that has the HtthResponse and an error, something like:
record error {
code: int,
message: string,
}
record response {
http: http-response,
error: error,
}
Otherwise, if result is working for wit-bindgen we can use it: https://github.com/WebAssembly/component-model/blob/main/design/mvp/WIT.md