Add domain validation

[ya7010]

Related: #5621

Prohibit the use of the json.schemastore.org domain and recommend the use of www.schemastore.org instead.

To pass CI for this PR, we need to merge #5626 first.

[madskristensen]

this is a great idea, but the issue is that the current $id property URLs must not change and they have to remain using json.. But perhaps we can limit it to new files or to $ref URLs instead?

[ya7010]

Conceptually, I understand that the $id should not be changed, but in practice, json.schemastore.org redirects to www.schemastore.org.

What are some potential drawbacks of changing the $id?

[hyperupcall]

@ya7010 Previous changes have resulted in breaking changes for popular clients like Taplo. See tamasfe/taplo#799 for details. Even for us testing the schemas internally, changing the $id of the schema breaks our testing suite. But if this change fixes an important issue, then I think maybe it is worth doing.

[hyperupcall]

@ya7010 Wondering, are you sure that all of these changes are needed to fix issues from #5621, #5108, and #5106? We discourage directly accessing the json.* URLs, so these changes won't fix that case, but it should fix the case in which the json.* url is used with $ref, right? It has been while since I've remembered the spec/used clients, but do you think changing just the $ref values and not the $ids would fix this issue?

[ya7010]

@hyperupcall

I was not aware of that issue.

Looking at the implementation of Taplo, it seems that the $schema in catalog.json needs to remain as json.schemastore.org.

We need to address this with a whitelist that allows json.schemastore.org.

fbc3d63#diff-1b8f038f5afb1158263a1fc83b9c0ca5a7438cceb90adad99d87168f70edc815R2

[ya7010]

@ya7010 Wondering, are you sure that all of these changes are needed to fix issues from #5621, #5108, and #5106? We discourage directly accessing the json.* URLs, so these changes won't fix that case, but it should fix the case in which the json.* url is used with $ref, right? It has been while since I've remembered the spec/used clients, but do you think changing just the $ref values and not the $ids would fix this issue?

$id itself is not the direct issue with the discussion. Generally, $id is not a target for fetching.

The problem is that json.schemastore.org is used for elements that require fetching from schemastore, such as $schema, $ref, and url.

On the other hand, with the exception of the catalog, various URLs are already mixed for $id in schemas.
Even now, $id values from www.schemastore.org and raw.githubusercontent.com are mixed together in catalog.json.

• "url": "https://www.schemastore.org/revola.json"
• "url": "https://raw.githubusercontent.com/hashgraph-online/skill-publish/main/schemas/skill.schema.json"
• "url": "https://goosewobbler.github.io/releasekit/schema.json"
• etc...

The issue with the current fix is that it creates a new schema by copying many existing deprecated samples, which carries a constant risk of network errors occurring.