Closed Bug 1642737 Opened 4 years ago Closed 10 months ago

Add a better JSONSchema validator

Categories

(Firefox :: Nimbus Desktop Client, enhancement, P2)

enhancement

Tracking

()

RESOLVED DUPLICATE of bug 1757809

People

(Reporter: k88hudson, Assigned: rhelmer)

References

Details

In order to share configuration multiple clients, as well as our severside infrastructure (e.g. Experimenter), we'd like to be able to use the same JSONSchema validator. The existing implementation in Firefox is also missing some key features like anyOf.

Priority: -- → P1

It looks like we use https://ajv.js.org/ on https://github.com/mozilla/rapid-experiments-shared/ and keeping these the same seems like the way to go.

I'm not sure if we should:

  1. keep JSONSchemaValidator.jsm API-compatible and replace the internals w/ ajv
  2. add ajv to m-c and automatically rewrite callers
  3. add ajv to m-c and let callers opt-in

There aren't very many callers (looks like enterprise policy and urlbar components) and I don't think there's anything especially great about the current API, so I am leaning towards #2 but might go with #3 if there are concerns.

Status: NEW → ASSIGNED
Priority: P1 → P2

Kate and I discussed this last time we met, and since ajv uses eval it's not a great candidate to use for Firefox at runtime (at least not in the main or privileged processes).

It's actually already in-tree and used only for tests, there's a special hardcoded exception to allow it to use eval:
https://searchfox.org/mozilla-central/source/dom/security/nsContentSecurityUtils.cpp#400

For the moment we're going to use it at test time, and look at options for doing runtime validation. A few ideas I've had, in ascending order of time/difficulty:

  1. consider another 3rd-party library
  2. add the features we need to JSONSchemaValidator.jsm and package it up so it can be used from npm/web and we can use it on the server.
  3. run ajv in a sandboxed content process, and message-pass
  4. fix ajv to remove eval

The most important thing is that we use schema validators on client and server that are compatible, the easiest way to ensure this is to use the same library everywhere but that's not essential as long as we trust that they are all up to spec, which is not the case today.

Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Component: Messaging System → Nimbus Desktop Client
Duplicate of bug: 1757809
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.