Avoid "Function" constructor
tdelmas opened this issue · comments
https://github.com/d3/d3-dsv/blob/master/src/dsv.js#L8
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function
The Function
constructor is not allowed in browser context in browser context when a safe CSP is used (without unsafe-eval
). For example it prevent the usage of Plotly with a safe CSP because it uses this package: plotly/plotly.js#897
https://github.com/d3/d3-dsv#content-security-policy
If a content security policy is in place, note that dsv.parse requires unsafe-eval in the script-src directive, due to the (safe) use of dynamic code generation for fast parsing. (See source.) Alternatively, use dsv.parseRows.
Maybe a replacement for dsv.parse
(ex. dsv.parseSafe
) should be given?
I recommend using parseRows as suggested in the text you pasted from the README and a row function to turn the array of field values into an object.