You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We mention earlier on that it is NOT required for an implementation to support loading resources from the web (https://json-schema.org/draft/2020-12/json-schema-core.html#rfc.section.8.2.3), but this may not be prominent enough as a warning; we could do with repeating it in the security section. (And possibly generalize to loading from anywhere, including disk.)
Yeah, specifically mention the risks of loading resources controlled by third parties, as well as performance and privacy concerns. e.g. validation that relies on network operations can potentially be blocked by DoS attacks.
Network operations should be limited to hypermedia APIs and similar applications where this risk already exists and is built into the architecture. We sort of mention this in the appropriate sections, but it can be duplicated in security concerns.
Activity
karenetheridge commentedon May 21, 2022
We mention earlier on that it is NOT required for an implementation to support loading resources from the web (https://json-schema.org/draft/2020-12/json-schema-core.html#rfc.section.8.2.3), but this may not be prominent enough as a warning; we could do with repeating it in the security section. (And possibly generalize to loading from anywhere, including disk.)
awwright commentedon May 22, 2022
Yeah, specifically mention the risks of loading resources controlled by third parties, as well as performance and privacy concerns. e.g. validation that relies on network operations can potentially be blocked by DoS attacks.
Network operations should be limited to hypermedia APIs and similar applications where this risk already exists and is built into the architecture. We sort of mention this in the appropriate sections, but it can be duplicated in security concerns.