Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use static config validation with built in widgets to pass CSP without unsafe-eval #6106

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -161,8 +161,8 @@
"browserify": "^17.0.0",
"buffer": "^6.0.3",
"emotion": "^11.0.0",
"eslint-config-prettier": "^8.0.0",
"eslint-plugin-babel": "^5.3.0",
"eslint-config-prettier": "^8.3.0",
"eslint-plugin-babel": "^5.3.1",
"globby": "^12.0.0",
"imports-loader": "^4.0.1",
"lerna": "^8.0.2",
Expand Down
10 changes: 10 additions & 0 deletions packages/decap-cms-core/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,13 @@ We haven't created a README for this package yet, but you can:
site](https://www.decapcms.org) for more info.
2. Reach out to the [community chat](https://decapcms.org/chat/) if you need help.
3. Help out and [write the readme yourself](https://github.com/decaporg/decap-cms/edit/main/packages/decap-cms-core/README.md)!

## Config Schema Validation

This package uses [AJV](http://ajv.js.org) to validate user's configuration files. There are two versions of this validation mechanism - static and dynamic. Dynamic validation is triggered when the configuration file includes custom validation schema for custom widgets. Static validation is used when the configuration does not have custom validation schema. Dynamic validation does not work in environments where Content Security Policy does not allow `unsafe-eval`. Due to this constraint, custom validation for custom widgets does not work where `unsafe-eval` is disallowed. You can learn more about this in [CMS does not work with Content Security Policy (CSP). Requires unsafe-eval / unsafe-inline for script-src / style-src](https://github.com/netlify/netlify-cms/issues/2138) issue.

### Modifying Static Config Schema validation

Static schema validation is stored in [./src/constants/staticValidateConfig.js](./src/constants/staticValidateConfig.js). It is generated using `yarn write-validate-schema` script which intern uses `ajv` CLI to compile schema stored in [./config.schema.json](./config.schema.json) to JavaScript that can be executed the browsers without triggering Content Security Policy where `unsafe-eval` is disallowed. This script relies on [./validation-rules/instanceof.js](./validation-rules/instanceof.js) and [./validation-rules/uniqueItemProperties.js](./validation-rules/uniqueItemProperties.js) these validation rules describe how AJV should generate source code for `instanceof` and `uniqueItemProperties` keywords. They are necessary because `ajv-keywords@5.0.0` which is used by this package does not support code generation yet - see notes in [instanceof](https://github.com/ajv-validator/ajv-keywords#instanceof) and [uniqueItemProperties](https://github.com/ajv-validator/ajv-keywords#uniqueitemproperties). These two files can be removed when `ajv-keywords` adds support for code generation for thes keywords.

**Note**: If you modify [./config.schema.json](./config.schema.json) then you should run `yarn write-validate-schema` to regenerate the [./src/constants/staticValidateConfig.js](./src/constants/staticValidateConfig.js) file.
Loading
Loading