From 0006f34ce5eab2d233154aee4b8f5715f298c030 Mon Sep 17 00:00:00 2001 From: Graham Lea Date: Tue, 30 Jun 2020 17:33:03 +1000 Subject: [PATCH] Document pre-compiled schemas for CSP in README Pre-compiled schemas are a workaround for maintaining a secure Content Security Policy (CSP) Fixes #1228 --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index c340f339c..bae892d27 100644 --- a/README.md +++ b/README.md @@ -238,6 +238,15 @@ Ajv is tested with these browsers: __Please note__: some frameworks, e.g. Dojo, may redefine global require in such way that is not compatible with CommonJS module format. In such case Ajv bundle has to be loaded before the framework and then you can use global Ajv (see issue [#234](https://github.com/ajv-validator/ajv/issues/234)). +### Ajv & Content Security Policies (CSP) + +If you're using Ajv to compile a schema (the typical use) in a browser document that is loaded with a Content Security Policy (CSP), that policy will require a `script-src` directive that includes the value `'unsafe-eval'`. +:warning: NOTE, however, that `unsafe-eval` is NOT recommended in a secure CSP[[1]](https://developer.chrome.com/extensions/contentSecurityPolicy#relaxing-eval), as it has the potential to open the document to cross-site scripting (XSS) attacks. + +In order to make use of Ajv without easing your CSP, you can [pre-compile a schema using the CLI](https://github.com/ajv-validator/ajv-cli#compile-schemas). This will transpile the schema JSON into a JavaScript file that exports a `validate` function that works simlarly to a schema compiled at runtime. +Note that the pre-compiled schemas, which are created using [ajv-pack](https://github.com/ajv-validator/ajv-pack#limitations), are not functionally equivalent to Ajv and there are known limitations. + + ## Command line interface CLI is available as a separate npm package [ajv-cli](https://github.com/ajv-validator/ajv-cli). It supports: