Use static config validation with built in widgets to pass CSP without unsafe-eval #6106
+19,995
−2
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #2138
Summary
Follow up to our proposal in #2138 (comment) to introduce static config validation that allows Netlify CMS to run in environments where Content Security Policy (CSP) prevents runtime code eval with
unsafe-eval
rule.This PR introduces a number of changes to make this work,
ajv
package to8.8.2
&ajv-keywords
to5.0.0
innetlify-cms-core
workspaceajv-cli
as a dependency tonetlify-cms-core
packages/netlify-cms-core/config.schema.json
write-validate-schema
to package.json ofnetlify-cms-core
which usesajv
CLI command to generatepackage/netlify-cms-core/src/constants/staticValidateConfig.js
package/netlify-cms-core/validation-rules/{instanceof.js,uniqueItemProprties.js}
created with support forajv@8
which is not supported inajv-keywords
validateConfig
function modified to check if there are any custom widgets with custom schema. When no custom schemas are present, NetlifyCMS config validation defaults to usestaticValidateConfig.js
instead of dynamic validationajv-errors
becauseerrorMessage
keyword is not used in the schemaTest plan
Refactored
configSchema.spec.js
to run tests for dynamic and static validation.TODO
tsc --noEmit
.Checklist
Please add a
x
inside each checkbox:yarn format
.yarn test
.A picture of a cute animal (not mandatory but encouraged)
Picture of my husky at the Pacific Ocean