decap-cms icon indicating copy to clipboard operation
decap-cms copied to clipboard

Published 20 hours ago verified publisher icon decaporg

WIP: Pre-compiled config schema json

Open taras opened this issue 3 years ago • 9 comments

WIP experimentation related to https://github.com/netlify/netlify-cms/issues/2138

Summary

Test plan

Checklist

Please add a x inside each checkbox:

  • [ ] I have read the contribution guidelines.
  • [ ] Code is formatted via running yarn format.
  • [ ] Tests are passing via running yarn test.
  • [ ] The status checks are successful (continuous integration). Those can be seen below.

A picture of a cute animal (not mandatory but encouraged)

taras avatar Nov 12 '21 19:11 taras

Thanks @taras, FYI custom widgets can declare their schema: https://www.netlifycms.org/docs/custom-widgets/#registerwidget

Custom widgets are registered at runtime, so I'm not sure if we can compile their schema at build time (or maybe we need to require widget authors to do so).

erezrokah avatar Nov 15 '21 13:11 erezrokah

@erezrokah thank you for bringing this to my attention.

Are these custom widgets 3rd party widgets distributed via npm packages or widgets created by the developer making the site? (or both?) It seems that to make NetlifyCMS work without unsafe CSP both of these groups need to use AVJ CLI or Webpack plugin that converts schemas into compiled functions.

taras avatar Nov 15 '21 14:11 taras

@erezrokah one thing I found with this experiment is that AJV standalone mode doesn't support 2 validations that the config uses: uniqueItemProperties and instanceof. So they need to be added to AJV before the existing schema will compile.

taras avatar Nov 15 '21 14:11 taras

Are these custom widgets 3rd party widgets distributed via npm packages or widgets created by the developer making the site? (or both?)

Both

erezrokah avatar Nov 15 '21 15:11 erezrokah

@taras, another question on this. Can you confirm this fixes the CSP issue? I think we have other dependencies using eval.

erezrokah avatar Nov 19 '21 09:11 erezrokah

@taras, another question on this. Can you confirm this fixes the CSP issue? I think we have other dependencies using eval.

it doesn’t fix the issue completely, we’re looking at the other dependencies now. eval is one issue and ‘new Function’ is another version of it. there are 8 instances of ‘new Function’ coming from netlify-cms bundles. it looks like it might be caused by webpack bundling.

taras avatar Nov 19 '21 09:11 taras

@erezrokah we're starting to push updates to fix these CSP issues. Can you please take a look at https://github.com/netlify/netlify-cms/pull/6009

taras avatar Nov 22 '21 19:11 taras

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 26 '23 09:04 stale[bot]

@taras are you still interested in moving this forward?

martinjagodic avatar Oct 16 '23 09:10 martinjagodic