From 0006f34ce5eab2d233154aee4b8f5715f298c030 Mon Sep 17 00:00:00 2001 From: Graham Lea Date: Tue, 30 Jun 2020 17:33:03 +1000 Subject: [PATCH 1/4] Document pre-compiled schemas for CSP in README Pre-compiled schemas are a workaround for maintaining a secure Content Security Policy (CSP) Fixes #1228 --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index c340f339c..bae892d27 100644 --- a/README.md +++ b/README.md @@ -238,6 +238,15 @@ Ajv is tested with these browsers: __Please note__: some frameworks, e.g. Dojo, may redefine global require in such way that is not compatible with CommonJS module format. In such case Ajv bundle has to be loaded before the framework and then you can use global Ajv (see issue [#234](https://github.com/ajv-validator/ajv/issues/234)). +### Ajv & Content Security Policies (CSP) + +If you're using Ajv to compile a schema (the typical use) in a browser document that is loaded with a Content Security Policy (CSP), that policy will require a `script-src` directive that includes the value `'unsafe-eval'`. +:warning: NOTE, however, that `unsafe-eval` is NOT recommended in a secure CSP[[1]](https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-eval), as it has the potential to open the document to cross-site scripting (XSS) attacks. + +In order to make use of Ajv without easing your CSP, you can [pre-compile a schema using the CLI](https://github.com/ajv-validator/ajv-cli#compile-schemas). This will transpile the schema JSON into a JavaScript file that exports a `validate` function that works simlarly to a schema compiled at runtime. +Note that the pre-compiled schemas, which are created using [ajv-pack](https://github.com/ajv-validator/ajv-pack#limitations), are not functionally equivalent to Ajv and there are known limitations. + + ## Command line interface CLI is available as a separate npm package [ajv-cli](https://github.com/ajv-validator/ajv-cli). It supports: From c581ff3dc1cc6e0acb39e16e2b0f2bcce5dc8857 Mon Sep 17 00:00:00 2001 From: Graham Lea Date: Tue, 30 Jun 2020 21:24:29 +1000 Subject: [PATCH 2/4] Clarify limitations of ajv-pack in README Fixes #1228 --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bae892d27..7d2b1f0ea 100644 --- a/README.md +++ b/README.md @@ -238,13 +238,14 @@ Ajv is tested with these browsers: __Please note__: some frameworks, e.g. Dojo, may redefine global require in such way that is not compatible with CommonJS module format. In such case Ajv bundle has to be loaded before the framework and then you can use global Ajv (see issue [#234](https://github.com/ajv-validator/ajv/issues/234)). -### Ajv & Content Security Policies (CSP) +### Ajv and Content Security Policies (CSP) If you're using Ajv to compile a schema (the typical use) in a browser document that is loaded with a Content Security Policy (CSP), that policy will require a `script-src` directive that includes the value `'unsafe-eval'`. :warning: NOTE, however, that `unsafe-eval` is NOT recommended in a secure CSP[[1]](https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-eval), as it has the potential to open the document to cross-site scripting (XSS) attacks. In order to make use of Ajv without easing your CSP, you can [pre-compile a schema using the CLI](https://github.com/ajv-validator/ajv-cli#compile-schemas). This will transpile the schema JSON into a JavaScript file that exports a `validate` function that works simlarly to a schema compiled at runtime. -Note that the pre-compiled schemas, which are created using [ajv-pack](https://github.com/ajv-validator/ajv-pack#limitations), are not functionally equivalent to Ajv and there are known limitations. + +Note that pre-compilation of schemas is performed using [ajv-pack](https://github.com/ajv-validator/ajv-pack) and there are [some limitations to the schema features it can compile](https://github.com/ajv-validator/ajv-pack#limitations). A successfully pre-compiled schema is equivalent to the same schema compiled at runtime. ## Command line interface From 0e2c3463a28ac19b5ea8324511889540c41125fa Mon Sep 17 00:00:00 2001 From: Graham Lea Date: Tue, 30 Jun 2020 21:26:54 +1000 Subject: [PATCH 3/4] Add Contents link to CSP section Fixes #1228 --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7d2b1f0ea..29beb7286 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ ajv.addMetaSchema(require('ajv/lib/refs/json-schema-draft-04.json')); - [Getting started](#getting-started) - [Frequently Asked Questions](https://github.com/ajv-validator/ajv/blob/master/FAQ.md) - [Using in browser](#using-in-browser) + - [Ajv and Content Security Policies (CSP)](#ajv-and-content-security-policies-csp) - [Command line interface](#command-line-interface) - Validation - [Keywords](#validation-keywords) From fd64fb4c939c6f6b8d68aa4c6c57d8be8cc1994d Mon Sep 17 00:00:00 2001 From: Graham Lea Date: Tue, 30 Jun 2020 21:31:56 +1000 Subject: [PATCH 4/4] Add link to CSP section in Security section Fixes #1228 --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 29beb7286..5e502db93 100644 --- a/README.md +++ b/README.md @@ -733,6 +733,10 @@ isSchemaSecure(schema2); // true __Please note__: following all these recommendation is not a guarantee that validation of untrusted data is safe - it can still lead to some undesirable results. +##### Content Security Policies (CSP) +See [Ajv and Content Security Policies (CSP)](#ajv-and-content-security-policies-csp) + + ## ReDoS attack Certain regular expressions can lead to the exponential evaluation time even with relatively short strings.