Comments (9)
@dbrgn as is just consulted the standard on that matter, you seem to be right. it says:
Note that this URI is an identifier and not necessarily a network locator. In the case of a network-addressable URL, a schema need not be downloadable from its canonical URI.
which i find very confusing. So you can pull in other schemas via "$ref" : "https://schema.spaceapi.io/13.json"
, but they are not guaranteed to be network reachable.
In the case that it is not intended to deploy the noted uri over network, i personally would prefer an uri like urn:spaceapi:schema:root:0.13
, not an actual url with https://
protocol an so on. just something to consider.
from schema.
In XML, external entities and external schemas have caused a whole load of security and information disclosure vulnerabilities
yes, i am aware of this. my specific usecase also was not to load the schemas in automatically, because i am not implementing a validator, just validation. i just wanted to tell the validator where to get his schemas from. i now include them in the project directly.
on the confusion part i stand by my opinion, that an uri
would be much less confusing than an url that is not reachable.
from schema.
I don't think the $id
needs to be reachable, or should it? My understanding is that domains / URLs are just used for namespacing.
from schema.
I think "pulling in other schemas" will never actually download the schema, it's only a reference. Or is there any OpenAPI client that actually does that?
In any case, I agree that an URN might be better! What do you think, @gidsi?
from schema.
i am not aware of one, but i am just in the process of implementing validation for the SpaceAPI and stumbled over this scenario. i could imagine other people would, too.
probably this is due my lack of experience with json schema, i just assumed it would work like i know it from xml
.
from schema.
It's definitely possible and i would like to make the schema available under the url (we've even talked about it, maybe there is even something in the protocols). Unfortunately we had a lot of other stuff on the agenda (if we start doing that we might also restructuring the schema files while we're on it).
Thats what the json-schema documentation says about using refs.
Even though the value of a $ref is a URI, it is not a network locator, only an identifier. This means that the schema doesnโt need to be accessible at that URI, but it may be. It is basically up to the validator implementation how external schema URIs will be handled, but one should not assume the validator will fetch network resources indicated in $ref values.
I would be against URN since nobody is using it out there and it might be confusing too.
from schema.
I would be against URN since nobody is using it out there and it might be confusing too.
If it's just a unique identifier, then it's perfectly fine, right?
but one should not assume the validator will fetch network resources indicated in $ref values.
Also, that should usually not ever be done implicitly. In XML, external entities and external schemas have caused a whole load of security and information disclosure vulnerabilities: https://owasp.org/www-project-cheat-sheets/cheatsheets/XML_Security_Cheat_Sheet.html
I would not be against using URLs if the schema is actually served there. But I'm not sure if automatic fetching of referenced schemas should be encouraged.
from schema.
If it's just a unique identifier, then it's perfectly fine, right?
I'm not a 100% sure what you mean.
It's best practice to use your domain (json schema doc) and i would just do that instead of using an URN.
In my opinion we would just make the schemas reachable via https if it's confusing to not have it reachable there.
from schema.
Fixed by #73
from schema.
Related Issues (20)
- Tag the schema HOT 2
- nullable state.open HOT 10
- Location: Space address vs postal address HOT 3
- Location: Should lat/lon be optional as well? HOT 5
- Provide at least one reference implementation for v15
- Streams HOT 1
- 3D Printers HOT 4
- Update to new JSON Schema version HOT 2
- Make SpaceAPI REST again HOT 11
- Release 0.14 HOT 1
- Country code HOT 3
- Validate schema fails HOT 2
- Proper examples in schema HOT 1
- state.open cannot be undefined when supporting both v13 and v0.14 HOT 3
- Allow adding metadata to webcams HOT 1
- Space state via MQTT HOT 5
- Add extra `location` details HOT 3
- Add optional `lastchange` for sensor values
- Question: how to provide forward compatibility for newer clients? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from schema.