search

json-schema-org / json-schema-spec

The JSON Schema specification
http://json-schema.org/
Other
3.82k stars 266 forks source link

Schema drafts own $id fields should use HTTP and self referencing without any redirects #1384

Closed ssbarnea closed 1 year ago

ssbarnea commented 1 year ago

At this moment our Draft JSON Schemas are using $id fields that use the unsafe http protocol and also present a trailing # which does not have a real meaning in absence of a real anchor.

For example, one of the most popular validators, ajv library would fail to validate files that are trying to use the safe HTTPS url for schemas, just because the schemas themselves declare their official $id to be located at a http:// location.

That is why I think that all our schemas should use only https:// on their $id fields, so we avoid introducing a security issue for implementers.

Current usage (bad):

{
    "$schema": "http://json-schema.org/draft-07/schema#",
}

Proposed usage (safer, faster):

{
    "$schema": "https://json-schema.org/draft-07/schema",
}

Please note that the proposed usage cannot be safely adopted by schema writes because some libraries like ajv would fail to load the schemas if the schemas themselves do not expose the normative uri the same way (https and lack of trailing hash).

While most browsers and http clients would be able to download the same file using either of the URLs variants by eventually doing a HTTP redirect, that does not mean that schema validators will recognize these schema urls correctly.

jdesrosiers commented 1 year ago

We already made this change (http -> https and dropping the fragment) starting with the 2019-09 release. We can't change already released drafts, so draft-07 and older URIs are stuck the way they are. Fortunately, using http in this case is not unsafe because implementations shouldn't be downloading meta-schemas anyway.

I'm going to close this because there's nothing we can do about this that we aren't already doing.

gregsdennis commented 1 year ago

In addition to what Jason said ☝️, these are identifiers; they're not meant as URLs. Being identifiers, changing them would be a breaking change.

Relequestual commented 1 year ago

...using http in this case is not unsafe because implementations shouldn't be downloading meta-schemas anyway.

Sadly, some tooling does do this, every single time it runs. Part of me feels like we should take it offline for a day just to see if we hear complaints, then we can identify what tooling specifically is still doing that.

ssbarnea commented 1 year ago

See https://github.com/ajv-validator/ajv/issues/472#issuecomment-1451705424 -- to be honest, I would not find absurd for people to assume that the id URI is the same thing as the resolved link to the schema, because it does make sense.

benjagm commented 1 year ago

Hi @ssbarnea thanks a lot for your comments. @jdesrosiers @gregsdennis and @Relequestual provided all the clarifications to mark this as closed. I will be more than happy to continue the discussions at JSON Schema slack server if required.