Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds interpreter support for Vega expressions that is Content Security Policy (CSP)-compliant. By default, the Vega parser performs code generation for parsed Vega expressions, and the Vega runtime uses the Function constructor to create JavaScript functions from the generated code. Although the Vega parser includes its own security checks, the runtime generation of functions from source code nevertheless violates security policies designed to prevent cross-site scripting.
This PR provides an optional interpreter that evaluates expressions by traversing an Abstract Syntax Tree (AST) for an expression and performing each operation in turn. Use of the interpreter enables compliance with CSP, but can incur a performance penalty. In tests of initial parse and dataflow evaluation times, the interpreter is on average ~10% slower. Interactive update performance may incur higher penalties, as it is often more expression-heavy and also amortizes the one-time cost of Function constructor parsing.
vega
vega-functions
undefined
input. This ensures identical semantics with the internal_scale
helper function used by code-generated encoders.vega-interpreter
vega-runtime
vega-view
expr
to pass in a custom expression evaluator.