Support json-schema under https

[ioggstream]

I expect

Schemas to be downloaded under HTTPS

To Reproduce

1. grep -r 'https://json-schema.org' .

Expected behavior

Occurrencies of json-schema.org with HTTPS

Instead

• Empty result.

Environment (remove any that are not applicable):

• Library version: 5.7.2

Additional context

webpackaging spectral, I get an error when downloading the insecure ref.

It would be great to have an HTTPS reference (probably related to https://github.com/ajv-validator/ajv/tree/master/lib/refs)

cc: @emilioSp

[philsturgeon]

I am not understanding the reproduction steps here. You've just got 1. grep 'https://json-schema.org' which is not enough to reproduce anything.

Can you help me understand what the problem is, what the expectations are, what the actual result is?

[ioggstream]

Hi @philsturgeon,thanks for replying!

We are using spectral in this online validator https://deploy-preview-98--api-validator.netlify.app/ which is a showcase for the Italian API Ruleset, and we get the following error. Ruleset is here https://github.com/italia/api-oas-checker/blob/gh-pages/spectral.yml

are we missing something? cc: @emilioSp

[philsturgeon]

I think we could just update all the URLs to be https:// which the OAS folks should do too. I'll take that up with them, but I think we can proceed regardless.

https://github.com/stoplightio/spectral/search?q=%22http%3A%2F%2Fjson-schema%22

[ioggstream]

Seems reasonable, though I don't know whether in jsonschema, http:// is supposed to be an URI or an URL...

In my local dist I found something resembling an URI-to-URL mapping, but dunno if it is related.

node_modules/@stoplight/spectral/dist/functions/schema.js:    ajv._refs['http://json-schema.org/schema'] = 'http://json-schema.org/draft-04/schema';

OT: if you are interested in the ruleset, drop a line ;)

[philsturgeon]

Either https or http can be used so we might as well use https. 

[P0lip]

Judging by the stack trace, the issue seems to be originating from json-ref-resolver.
We try to resolve all $refs within a given ruleset, and since OpenAPI 2 schema we use inside of OAS2 ruleset has plenty of $refs pointing at http://json-schema.org/draft-04/schema, this is likely to be the culprit.

[philsturgeon]

If this will go away with #1054 it sounds like another vote for getting that change done?

[P0lip]

@ioggstream I put a PR that instruments ruleset $ref resolver to avoid reading these $refs entirely.
That shouldn't be needed at all, since AJV already has these schemas loaded, thus it should be able to resolve it on its own.

[ioggstream]

@P0lip great! cc: @emilioSp could you please PTAL

[emilioSp]

It sounds great! Thanks!

[P0lip]

I'm going to close it then.
This shouldn't be an issue anymore since we won't even attempt to load that resource.
However, if you still face some issues once you try out a new (minor/patch) version (that's on its way!), let me know here.
Thanks!

[Relequestual]

Seems reasonable, though I don't know whether in jsonschema, http:// is supposed to be an URI or an URL... - @ioggstream

Right, they are URIs, not URLs, so may not be changed.
The URIs for the dialect identifiers of all published drafts are set in stone.
In newer versions, we use HTTPS.
It is never expected that an implementation should go download these on the fly! As, given they are URIs, that might not be possible.