Add a better JSONSchema validator
Categories
(Firefox :: Nimbus Desktop Client, enhancement, P2)
Tracking
()
People
(Reporter: k88hudson, Assigned: rhelmer)
References
Details
In order to share configuration multiple clients, as well as our severside infrastructure (e.g. Experimenter), we'd like to be able to use the same JSONSchema validator. The existing implementation in Firefox is also missing some key features like anyOf
.
Reporter | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
•
|
||
It looks like we use https://ajv.js.org/ on https://github.com/mozilla/rapid-experiments-shared/ and keeping these the same seems like the way to go.
I'm not sure if we should:
- keep
JSONSchemaValidator.jsm
API-compatible and replace the internals w/ajv
- add
ajv
to m-c and automatically rewrite callers - add
ajv
to m-c and let callers opt-in
There aren't very many callers (looks like enterprise policy and urlbar components) and I don't think there's anything especially great about the current API, so I am leaning towards #2 but might go with #3 if there are concerns.
Reporter | ||
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
Kate and I discussed this last time we met, and since ajv
uses eval
it's not a great candidate to use for Firefox at runtime (at least not in the main or privileged processes).
It's actually already in-tree and used only for tests, there's a special hardcoded exception to allow it to use eval
:
https://searchfox.org/mozilla-central/source/dom/security/nsContentSecurityUtils.cpp#400
For the moment we're going to use it at test time, and look at options for doing runtime validation. A few ideas I've had, in ascending order of time/difficulty:
- consider another 3rd-party library
- add the features we need to
JSONSchemaValidator.jsm
and package it up so it can be used from npm/web and we can use it on the server. - run
ajv
in a sandboxed content process, and message-pass - fix
ajv
to removeeval
The most important thing is that we use schema validators on client and server that are compatible, the easiest way to ensure this is to use the same library everywhere but that's not essential as long as we trust that they are all up to spec, which is not the case today.
Updated•10 months ago
|
Description
•