Open heinerlamprecht opened 2 years ago
@heinerlamprecht Hi! Sorry for the late response.
This can be used with CSP via pre-compiling, as mentioned in the documentation: https://github.com/ExodusMovement/schemasafe#generate-modules
To do this, the schemas should be known prior to runtime, and pre-built. This way, runtime won't need to execute dynamically built validators.
Note: The application connects to a REST-Service and the schemas are not known at build-time. Instead they are downloaded from the REST-API.
Ah, I see.
Are the schemas trusted or not? If yes, they could perhaps be shipped in pre-compiled form via a proxy (perhaps even a separate host)?
Using untrusted schemas could cause DoS even with all the checks, regardless of the validator used.
To do this, the schemas should be known prior to runtime, and pre-built. This way, runtime won't need to execute dynamically built validators.
How can I use this compiled module in an application?
How can I use this compiled module in an application?
I'm not sure about the nature of the question, that depends on the exact setup.
After applying proper CSP-settings, the validator does not work anymore. Console shows:
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script
Unfortunately, "unsafe-eval" is prohibited in lots of governmental organisations or Top-500 companies.
Note: The application connects to a REST-Service and the schemas are not known at build-time. Instead they are downloaded from the REST-API.