Fix protocol validation with proper security checks for extension URLs

[lukem235]

Description

This PR fixes critical security vulnerabilities in extension URL protocol validation by replacing weak string prefix checks with proper URL validation and protocol enforcement.

Related Issue

Addresses security issues in URL handling where weak validation could allow dangerous protocols to slip through.

Motivation and Context

Problem: The previous implementation used .startsWith("http") validation which is insufficient because:

• Accepts invalid strings like httpx://, httpsomething://, http-evil://
• Doesn't validate URL structure or protocol
• Could allow dangerous protocols (javascript:, data:, file:) to pass through
• Silently "fixes" malformed URLs instead of rejecting them
• No proper error handling - URL construction failures could crash extension loading

Solution: Implemented proper security-focused URL validation:

• Created centralized isValidHttpUrl() utility using URL constructor with protocol checking
• Only allows http:// and https:// protocols
• Rejects all dangerous protocols (javascript:, data:, file:, ftp:, ws:, wss:, about:)
• Invalid extensions are logged but don't block other extensions from loading
• Clear error messages help developers understand and fix issues

Changes Made

New Files

• packages/uix-host/src/utils/url-validation.ts - Centralized URL validation utility
• packages/uix-host/src/utils/url-validation.test.ts - Comprehensive test coverage (11 tests)

Modified Files

• packages/uix-host/src/host.ts - Added proper URL validation in loadOneGuest() before Port creation
• packages/uix-host/src/index.ts - Exported isValidHttpUrl as public API
• packages/uix-host-react/src/components/GuestUIFrame.tsx - Added URL validation with error handling
• packages/uix-host-react/src/components/ExtensibleWrapper/UrlExtensionProvider.ts - Removed duplicate validation, imports from @adobe/uix-host

How Has This Been Tested?

• ✅ All unit tests pass (13 test suites, 71 tests)
• ✅ New comprehensive test coverage for URL validation including:
  • Valid http/https URLs
  • Dangerous protocols (javascript:, data:, file:)
  • Weak validation bypass attempts
  • Malformed URLs
  • Edge cases (null, undefined, empty strings)
• ✅ Build succeeds without errors
• ✅ Invalid extensions properly rejected with clear error messages
• ✅ Valid extensions continue loading when others fail

Security Improvements

• Before: Weak .startsWith("http") check allowed bypass attempts
• After: Proper URL constructor with strict http: or https: protocol validation
• Dangerous protocols blocked: javascript:, data:, file:, ftp:, ws:, wss:, about:
• Graceful degradation: Failed extensions don't crash the system or block valid ones

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• Security improvement

Checklist:

• I have signed the Adobe Open Source CLA.
• My code follows the code style of this project.
• I have added tests to cover my changes.
• All new and existing tests passed.
• No breaking changes for valid URLs

---

Note: Formatting/linting changes are intentionally excluded from this PR and will be handled separately.