Skip to content

Commit 65e3678

Browse files
epoberezkinepoberezkin
authored
Merge pull request #1239 from GrahamLea/patch-1
Document pre-compiled schemas for CSP in README
2 parents 68d72c4 + fd64fb4 commit 65e3678

File tree

1 file changed

+15
-0
lines changed

1 file changed

+15
-0
lines changed

README.md

+15
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,7 @@ ajv.addMetaSchema(require('ajv/lib/refs/json-schema-draft-04.json'));
8282
- [Getting started](#getting-started)
8383
- [Frequently Asked Questions](https://github.com/ajv-validator/ajv/blob/master/FAQ.md)
8484
- [Using in browser](#using-in-browser)
85+
- [Ajv and Content Security Policies (CSP)](#ajv-and-content-security-policies-csp)
8586
- [Command line interface](#command-line-interface)
8687
- Validation
8788
- [Keywords](#validation-keywords)
@@ -238,6 +239,16 @@ Ajv is tested with these browsers:
238239
__Please note__: some frameworks, e.g. Dojo, may redefine global require in such way that is not compatible with CommonJS module format. In such case Ajv bundle has to be loaded before the framework and then you can use global Ajv (see issue [#234](https://github.com/ajv-validator/ajv/issues/234)).
239240

240241

242+
### Ajv and Content Security Policies (CSP)
243+
244+
If you're using Ajv to compile a schema (the typical use) in a browser document that is loaded with a Content Security Policy (CSP), that policy will require a `script-src` directive that includes the value `'unsafe-eval'`.
245+
:warning: NOTE, however, that `unsafe-eval` is NOT recommended in a secure CSP[[1]](https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-eval), as it has the potential to open the document to cross-site scripting (XSS) attacks.
246+
247+
In order to make use of Ajv without easing your CSP, you can [pre-compile a schema using the CLI](https://github.com/ajv-validator/ajv-cli#compile-schemas). This will transpile the schema JSON into a JavaScript file that exports a `validate` function that works simlarly to a schema compiled at runtime.
248+
249+
Note that pre-compilation of schemas is performed using [ajv-pack](https://github.com/ajv-validator/ajv-pack) and there are [some limitations to the schema features it can compile](https://github.com/ajv-validator/ajv-pack#limitations). A successfully pre-compiled schema is equivalent to the same schema compiled at runtime.
250+
251+
241252
## Command line interface
242253

243254
CLI is available as a separate npm package [ajv-cli](https://github.com/ajv-validator/ajv-cli). It supports:
@@ -722,6 +733,10 @@ isSchemaSecure(schema2); // true
722733
__Please note__: following all these recommendation is not a guarantee that validation of untrusted data is safe - it can still lead to some undesirable results.
723734

724735

736+
##### Content Security Policies (CSP)
737+
See [Ajv and Content Security Policies (CSP)](#ajv-and-content-security-policies-csp)
738+
739+
725740
## ReDoS attack
726741

727742
Certain regular expressions can lead to the exponential evaluation time even with relatively short strings.

0 commit comments

Comments
 (0)