Does not work with proper CSP settings

[heinerlamprecht]

After applying proper CSP-settings, the validator does not work anymore. Console shows:

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script

Unfortunately, "unsafe-eval" is prohibited in lots of governmental organisations or Top-500 companies.

Note: The application connects to a REST-Service and the schemas are not known at build-time. Instead they are downloaded from the REST-API.

[ChALkeR]

@heinerlamprecht Hi! Sorry for the late response.

This can be used with CSP via pre-compiling, as mentioned in the documentation: https://github.com/ExodusMovement/schemasafe#generate-modules

To do this, the schemas should be known prior to runtime, and pre-built.
This way, runtime won't need to execute dynamically built validators.

[ChALkeR]

Note: The application connects to a REST-Service and the schemas are not known at build-time. Instead they are downloaded from the REST-API.

Ah, I see.

Are the schemas trusted or not?
If yes, they could perhaps be shipped in pre-compiled form via a proxy (perhaps even a separate host)?

Using untrusted schemas could cause DoS even with all the checks, regardless of the validator used.

[heinerlamprecht]

To do this, the schemas should be known prior to runtime, and pre-built. This way, runtime won't need to execute dynamically built validators.

How can I use this compiled module in an application?

[ChALkeR]

How can I use this compiled module in an application?

I'm not sure about the nature of the question, that depends on the exact setup.