Closed berislavlopac closed 11 months ago
The current behavior is correct.
The URIs in $schema
are just that -- URIs. They are identifiers for the JSON Schema versions. Regardless of the current website behavior (which has to do more with convenience), up until draft 7 the identifiers were indeed HTTP (even if they were retrievable over HTTPS). And the current ones are HTTPS. The same is true about whether they contain fragments or not.
Essentially, you are supposed to use the exact identifier, and it's irrelevant whether the meta schema is even retrievable at all from that URL.
a schema with the "wrong" HTTP(S) protocol in the $schema URL with be treated as the default metaschema
This bit seems wrong -- if the $schema
URI does not match one of the known metaschemas (whether a mismatch of http/https or something else), the implementation shouldn't fall back to the default, but rather it should error out entirely.
There seems to be a problem when selecting a validator based on the
$schema
URL, using thevalidator_for
function: specifically, some schemas can't be located depending whether the URL ishttp
orhttps
.After some research, it looks like the current implementation assumes the following:
http
.https
.This assumption is incorrect, as in practice all
http
urls are redirected (with 301 response code) to theirhttps
counterparts, andhttps
works for all; this short script shows what happens both when callingvalidate_for
and retrieving the schema from the URL, with either protocol:This is the output of that script:
This behaviour means that a schema with the "wrong" HTTP(S) protocol in the
$schema
URL with be treated as the default metaschema, potentially failing validation.