forbidden-properties

Learn how to set custom rules to disallow reading from, writing to, and/or calling one or more properties
Table of Contents

Conformance is available on Enterprise plans

The forbidden-properties rule type enables you to disallow reading from, writing to, and/or calling one or more properties.

  • Disallowing use of global properties
    • You want to disallow calling document.write
    • You want to disallow using browser-only APIs in a component library that may be server-rendered
    • You want to disallow calls to usage of window.location in favor of another solution.
  • Disallowing use of deprecated features
    • You want to disallow using event.keyCode
    • You want to disallow specific strings from being used within code

To create a custom forbidden-properties rule, you'll need to configure the below required properties:

PropertyTypeDescription
ruleType"forbidden-properties"The custom rule's type.
ruleNamestringThe custom rule's name.
errorMessagestringThe error message, which is shown to users when they encounter this rule.
errorLinkstring (optional)An optional link to show alongside the error message.
descriptionstring (optional)The rule description, which is shown in the Vercel Compass dashboard and included in allowlist files.
severity"major" | "minor" (optional)The rule severity added to the allowlists and used to calculate a project's conformance score.
forbiddenPropertiesForbiddenProperty[]One or more properties and their forbidden operations.
PropertyTypeDescription
propertystringThe property to target.
operations{ call?: boolean, read?: boolean, write?: boolean }The operation(s) to target. At least one operation is required.

The example below configures a rule named NO_DOCUMENT_WRITE_CALLS that disallows calling document.write.

conformance.config.jsonc
{
  "customRules": [
    {
      "ruleType": "forbidden-properties",
      "ruleName": "NO_DOCUMENT_WRITE_CALLS",
      "errorMessage": "Calling 'document.write' is not allowed.",
      "description": "Disallows calls to `document.write`.",
      "severity": "major",
      "forbiddenProperties": [
        {
          "property": "document.write",
          "operations": {
            "call": true,
          },
        },
      ],
    },
  ],
}

Note that a property's assignments are tracked by this custom rule type.

Using our example NO_DOCUMENT_WRITE_CALLS rule (above), the following calls will both result in errors.

document.write();
 
const writer = document.write;
writer();

The example below enables the NO_DOCUMENT_WRITE_CALLS custom rule. In this example, the custom rule is also restricted to the dashboard and marketing-site workspaces, which is optional.

conformance.config.jsonc
{
  "overrides": [
    {
      "restrictTo": {
        "workspaces": ["dashboard", "marketing-site"],
      },
      "rules": {
        "CUSTOM.NO_DOCUMENT_WRITE_CALLS": true,
      },
    },
  ],
  "customRules": [
    // ...
  ],
}

;

Last updated on July 23, 2024