Cursor sets “json.schemaDownload.enable": false due to CVE-2025-49150, which disables intellisense, hover support, etc. for JSON files - even for basic files like package.json and tsconfig.json.
Some time ago VSCode added the `json.schemaDownload.trustedDomains`setting to whitelist trusted domains (e.g. Schema Store) and thus avoid this problem, but Cursor has not yet implemented that setting.
So we’re stuck with a dilemma: enable that feature for JSON support, or disable it to block malicious agents.
Hey, thanks for the detailed write-up. Right now there’s only one working option, re-enable schema download in settings. Add this to settings.json:
"json.schemaDownload.enable": true
This brings back IntelliSense, hover, and validation for package.json, tsconfig.json, and other files that pull schemas from remote sources like schemastore.org.
Important context on why the default is false. It’s not accidental, it’s a security fix advisory GHSA-9h3v-h59j-v6rj. With schema download enabled, a JSON file with $schema can trigger an HTTP GET to any URL without confirmation. In an untrusted repo that can leak data, especially with prompt injection since the agent can edit JSON. So if you turn it back on, you’re accepting that risk.
On json.schemaDownload.trustedDomains I checked this directly in Cursor. Searching for it in Settings shows only the JSON > Schema Download: Enable toggle and an unrelated Workbench > Trusted Domains setting for opening links, not schemas. The per-domain schema setting isn’t registered, so upstream VS Code’s per-domain control isn’t available right now, and adding trustedDomains won’t do anything.
What you can control is granularity per project, not per domain. That’s different from what you asked for, but it’s the closest working lever:
Keep json.schemaDownload.enable set to false globally.
Set it to true only in .vscode/settings.json for projects you trust.
This isn’t the domain filtering you wanted, it’s an all-or-nothing toggle scoped to a workspace. But it reduces the risk surface since schema download only turns on where you’ve explicitly decided it’s safe.
The per-domain request trustedDomains is tracked in your separate thread, so the feedback is on record. I can’t share an ETA. Let me know if enabling the setting doesn’t help.
I already considered limiting that setting per-workspace, but it would not limit the potential blast radius - if I understand correctly, a malicious agent would have access to the entire machine, so could exfiltrate anything from anywhere (limited to the current user’s privileges, of course).
I assume from your reply and that fancy shield next to your avatar that you are one of the Cursor devs. Please see if you guys can prioritise integration of the upstream `trustedDomains` feature? You turned it off by default - which was the correct and responsible decision - but coding without it is truly horrible. That whitelist would solve the problem properly.
Yeah, I’m from the Cursor team. And you’re right about the blast radius. The per-workspace toggle only limits where schema download is enabled, but it doesn’t isolate the agent’s access to the filesystem. So yeah, it’s not a full security control, it just reduces exposure in places where you’ve decided you trust the repo. A proper solution is a per-domain allowlist like upstream trustedDomains.
The request to port trustedDomains is already logged in your separate FR thread, so it’s on our radar. I can’t promise priority or timelines right now, there’s no ETA. If there’s an update, I’ll reply in the thread.
For now it’s the same compromise: keep json.schemaDownload.enable: false globally, and enable it only in trusted projects. It’s not what you’re asking for, but it’s the only working lever we have today.
that you are one of the Cursor devs. Please see if you guys can prioritise integration of the upstream `trustedDomains` feature? You turned it off by default - which was the correct and responsible decision - but coding without it is truly horrible. That whitelist would solve the problem properly.