module-federation · 2heal1 · Apr 27, 2026 · Apr 27, 2026 · Apr 27, 2026
diff --git a/.changeset/tall-dodos-heal.md b/.changeset/tall-dodos-heal.md
@@ -0,0 +1,7 @@
+---
+"@module-federation/enhanced": patch
+"@module-federation/runtime": patch
+"@module-federation/runtime-core": patch
+---
+
+feat: add an optional remote origin allowlist for remote entry loading and allow configuring it from enhanced build options without changing the default behavior.
diff --git a/apps/website-new/docs/en/configure/_meta.json b/apps/website-new/docs/en/configure/_meta.json
@@ -49,6 +49,11 @@
     "name": "runtimeplugins",
     "label": "runtimePlugins"
   },
+  {
+    "type": "file",
+    "name": "security",
+    "label": "security"
+  },
   {
     "type": "file",
     "name": "getpublicpath",

diff --git a/apps/website-new/docs/en/configure/index.mdx b/apps/website-new/docs/en/configure/index.mdx
@@ -20,6 +20,11 @@ type ModuleFederationOptions = {
   getPublicPath?: string;
   // Runtime plugins
   runtimePlugins?: Array<string | [string, Record<string, unknown>]>;
+  // Runtime security options
+  security?: {
+    allowedRemoteOrigins?: string[];
+    [key: string]: unknown;
+  };
   // The runtime implementation to use
   implementation?: string;
   // manifest configuration

diff --git a/apps/website-new/docs/en/configure/security.mdx b/apps/website-new/docs/en/configure/security.mdx
@@ -0,0 +1,38 @@
+# security
+
+- Type: `{ allowedRemoteOrigins?: string[]; [key: string]: unknown }`
+- Required: No
+- Default value: `undefined`
+- Usage scenario: used to pass runtime security options
+
+At the moment, the built-in runtime behavior uses `allowedRemoteOrigins` to restrict which remote entry origins can be loaded. If you add extra fields under `security`, they are preserved and can be used by your own runtime extensions or plugins.
+
+## allowedRemoteOrigins
+
+- Type: `string[]`
+- Required: No
+- Default value: `undefined`
+
+When `allowedRemoteOrigins` is not set, remote loading behavior stays unchanged.
+
+Once `allowedRemoteOrigins` is configured, only matching network remote entry URLs can be loaded. This check applies to network remotes such as `http://`, `https://`, or protocol-relative URLs like `//cdn.example.com/remoteEntry.js`.
+
+Supported values:
+
+- `'*'`: allow all origins
+- Hostname such as `localhost` or `cdn.example.com`
+- Host with port such as `localhost:3001`
+- Exact origin such as `https://cdn.example.com`
+- Regex literal such as `/^https:\\/\\/.*\\.example\\.com$/`
+
+```ts title="rspack.config.ts"
+new ModuleFederationPlugin({
+  name: 'host',
+  remotes: {
+    remote: 'remote@https://cdn.example.com/remoteEntry.js',
+  },
+  security: {
+    allowedRemoteOrigins: ['cdn.example.com', 'localhost:3001'],
+  },
+});
+```
diff --git a/apps/website-new/docs/zh/configure/_meta.json b/apps/website-new/docs/zh/configure/_meta.json
@@ -49,6 +49,11 @@
     "name": "runtimeplugins",
     "label": "runtimePlugins"
   },
+  {
+    "type": "file",
+    "name": "security",
+    "label": "security"
+  },
   {
     "type": "file",
     "name": "getpublicpath",

diff --git a/apps/website-new/docs/zh/configure/index.mdx b/apps/website-new/docs/zh/configure/index.mdx
@@ -22,6 +22,11 @@ type ModuleFederationOptions {
     getPublicPath?: string;
     // 运行时插件（支持元组 [path, params]）
     runtimePlugins?: (string | [string, Record<string, unknown>])[];
+    // 运行时安全配置
+    security?: {
+      allowedRemoteOrigins?: string[];
+      [key: string]: unknown;
+    };
     // runtime pkg 依赖
     implementation?: string;
     // manifest 配置

diff --git a/apps/website-new/docs/zh/configure/security.mdx b/apps/website-new/docs/zh/configure/security.mdx
@@ -0,0 +1,38 @@
+# security
+
+- 类型：`{ allowedRemoteOrigins?: string[]; [key: string]: unknown }`
+- 是否必填：否
+- 默认值：`undefined`
+- 使用场景：用于传递运行时安全配置
+
+当前内置的运行时行为主要使用 `allowedRemoteOrigins` 来限制允许加载哪些远程入口来源。如果你在 `security` 下放了额外字段，它们会被原样保留，可供你自己的运行时扩展或插件使用。
+
+## allowedRemoteOrigins
+
+- 类型：`string[]`
+- 是否必填：否
+- 默认值：`undefined`
+
+如果不配置 `allowedRemoteOrigins`，远程加载行为保持不变。
+
+配置了 `allowedRemoteOrigins` 之后，只允许匹配到的网络远程入口地址继续加载。这个检查适用于 `http://`、`https://`，以及 `//cdn.example.com/remoteEntry.js` 这种协议相对地址。
+
+支持的写法：
+
+- `'*'`：允许所有来源
+- 主机名，例如 `localhost`、`cdn.example.com`
+- 主机名加端口，例如 `localhost:3001`
+- 精确来源，例如 `https://cdn.example.com`
+- 正则字面量，例如 `/^https:\\/\\/.*\\.example\\.com$/`
+
+```ts title="rspack.config.ts"
+new ModuleFederationPlugin({
+  name: 'host',
+  remotes: {
+    remote: 'remote@https://cdn.example.com/remoteEntry.js',
+  },
+  security: {
+    allowedRemoteOrigins: ['cdn.example.com', 'localhost:3001'],
+  },
+});
+```
diff --git a/packages/enhanced/README.md b/packages/enhanced/README.md
@@ -164,6 +164,44 @@ Used to add additional plug-ins required at runtime. The value is the path of th
 
 Once set, the runtime plugin is automatically injected and used at build time.
 
+### security
+
+- Type: `{ allowedRemoteOrigins?: string[] }`
+- Required: False
+- Default: `undefined`
+
+Used to restrict which remote entry origins can be loaded by the runtime.
+
+If this option is not set, the existing loading behavior remains unchanged.
+Once `allowedRemoteOrigins` is configured, only matching network remote entry URLs
+can be loaded.
+
+`allowedRemoteOrigins` supports:
+
+- `'*'` to allow all origins
+- hostnames such as `localhost` or `cdn.example.com`
+- host + port values such as `cdn.example.com:8080`
+- exact origins such as `https://cdn.example.com`
+- regex literals such as `/^https:\\/\\/.*\\.example\\.com$/`
+
+Example:
+
+```js
+module.exports = {
+  plugins: [
+    new ModuleFederationPlugin({
+      name: 'host',
+      remotes: {
+        remote: 'remote@https://cdn.example.com/remoteEntry.js',
+      },
+      security: {
+        allowedRemoteOrigins: ['cdn.example.com'],
+      },
+    }),
+  ],
+};
+```
+
 ### implementation
 
 - Type: `string`

diff --git a/packages/enhanced/src/lib/container/runtime/utils.ts b/packages/enhanced/src/lib/container/runtime/utils.ts
@@ -13,12 +13,15 @@ import type { moduleFederationPlugin } from '@module-federation/sdk';
 import type { init } from '@module-federation/runtime-tools';
 
 type Remotes = Parameters<typeof init>[0]['remotes'];
+type SecurityOptions = Parameters<typeof init>[0]['security'];
 
 export interface NormalizedRuntimeInitOptionsWithOutShared {
   name: string;
   remotes: Array<
     Remotes[0] & { externalType: moduleFederationPlugin.ExternalsType }
   >;
+  shareStrategy: 'version-first' | 'loaded-first';
+  security?: SecurityOptions;
 }
 
 const extractUrlAndGlobal = require(
@@ -98,10 +101,15 @@ export function normalizeRuntimeInitOptionsWithOutShared(
     });
   });
 
+  const security = options.security
+    ? (JSON.parse(JSON.stringify(options.security)) as SecurityOptions)
+    : undefined;
+
   const initOptionsWithoutShared = {
     name: options.name!,
     remotes: remoteOptions,
     shareStrategy: options.shareStrategy || 'version-first',
+    security,
   };
 
   return initOptionsWithoutShared;