Security considerations should mention treating URIs as URLs (from $ref and $schema) #1231
Comments
|
We mention earlier on that it is NOT required for an implementation to support loading resources from the web (https://json-schema.org/draft/2020-12/json-schema-core.html#rfc.section.8.2.3), but this may not be prominent enough as a warning; we could do with repeating it in the security section. (And possibly generalize to loading from anywhere, including disk.) |
|
Yeah, specifically mention the risks of loading resources controlled by third parties, as well as performance and privacy concerns. e.g. validation that relies on network operations can potentially be blocked by DoS attacks. Network operations should be limited to hypermedia APIs and similar applications where this risk already exists and is built into the architecture. We sort of mention this in the appropriate sections, but it can be duplicated in security concerns. |
Related json-schema-org/community#176
The text was updated successfully, but these errors were encountered: