The premutate feature currently does not check the data being passed into the premutate operation. This means that if the premutate state can be specified in the query params, an attacker can send a user a link that puts the document in a dangerous initial state, that the developer has not planned for.
Objectives:
Since Premutate State is an input to the AMP document often derived from (untrusted) user input, it must be validated against the expected preconditions of the the AMP document before being used within. By requiring developers to define the full expected format (schema) of the Premutate State JSON, we can ensure:
Only expected parts of AMP State are modifiable by the Premutate State, including nested JSON, not just top level AMP State keys. It's clear to developers which parts of the AMP State are input and to what extent that part can be trusted (based on the detail of the schema validation).
The developer can enforce common expectations on the input data (e.g. type, range, etc), so it can be used without complex amp-bind logic or extra round trips to their servers to validate, even though it originated from untrusted sources.
Of course some types of input validation cannot be performed by schema validation (e.g. "is this a valid widget ID?"). Such validation is a non-goal here, since that will likely require a call to the third party server to validate, which can be done during the or call, as usual, without additional runtime support. Developers must still take care to do this as appropriate.
Proposed Solution:
Since the Premutate State is a JSON object, it's natural to describe the expected input to the AMP document by including a schema for the Premutate State JSON.
JSON Schema is a draft standard for specifying the format of JSON documents analogous to XSD for XML, where the schema itself is a JSON object. In addition to simple structural validation, JSON schema allows more powerful validations, including range, regex, enum, and even semantic types, like date-time, etc.
To use Premutate State, instead of marking specific as overrideable an AMP Document would include a Githubissues.
Githubissues is a development platform for aggregating issues.
The premutate feature currently does not check the data being passed into the premutate operation. This means that if the premutate state can be specified in the query params, an attacker can send a user a link that puts the document in a dangerous initial state, that the developer has not planned for.
Objectives: Since Premutate State is an input to the AMP document often derived from (untrusted) user input, it must be validated against the expected preconditions of the the AMP document before being used within. By requiring developers to define the full expected format (schema) of the Premutate State JSON, we can ensure:
Only expected parts of AMP State are modifiable by the Premutate State, including nested JSON, not just top level AMP State keys. It's clear to developers which parts of the AMP State are input and to what extent that part can be trusted (based on the detail of the schema validation). The developer can enforce common expectations on the input data (e.g. type, range, etc), so it can be used without complex amp-bind logic or extra round trips to their servers to validate, even though it originated from untrusted sources.
Of course some types of input validation cannot be performed by schema validation (e.g. "is this a valid widget ID?"). Such validation is a non-goal here, since that will likely require a call to the third party server to validate, which can be done during the or call, as usual, without additional runtime support. Developers must still take care to do this as appropriate.
Proposed Solution: Since the Premutate State is a JSON object, it's natural to describe the expected input to the AMP document by including a schema for the Premutate State JSON.
JSON Schema is a draft standard for specifying the format of JSON documents analogous to XSD for XML, where the schema itself is a JSON object. In addition to simple structural validation, JSON schema allows more powerful validations, including range, regex, enum, and even semantic types, like date-time, etc.
To use Premutate State, instead of marking specific as overrideable an AMP Document would include a Githubissues.
Githubissues is a development platform for aggregating issues.