Add vega-interpreter to Vega Lite Charts

[mayagbarnes]

📚 Context

Integrating the expression interpreter with vega-embed to avoid unsafe-eval permission for CSP

• What kind of change does this PR introduce?
  • Refactoring

🧠 Description of Changes

• Passing ast: true and expression interpreter to vega-embed

🧪 Testing Done

• Manual

🌐 References

• Vega-embed doc
• Expression Interpreter doc
• CSP

---

Contribution License Agreement

By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.

[mayagbarnes]

Not entirely sure how I ought to write tests for this...
I only manual tested with <meta http-equiv="Content-Security-Policy" content="script-src 'self'" /> in the index.html file

[lukasmasuch]

Not entirely sure how I ought to write tests for this...

Yep, that sounds pretty complicated. This might require some research, but I think we cannot test this through our unit tests (jest, pytest) since there isn't any browser involved. So, we either have to test it via e2e tests by adding it somehow to the index.html (injecting it via javascript would not work) or we have to add the CSP header as default to Streamlit. Maybe adding the CSP header to Streamlit core is even requested by the SIS/Security team, not sure.

One super hacky way I can think of would be the following: inject the header into the index.html file (see this for an example) from the python e2e script. This might also require to force one rerun (e.g. via experimental_rerun) to have the cypress browser load the modified file. And we might need to clean the index.html file up again for the following tests.

Another cleaner solution might be that we add an optional config option (e.g. server.enableCSPProtection) that - if activated - adds the CSP to the HTTP headers of the webserver (similar to how it is done here). Maybe that is even a valid feature to officially add to our config options.

[lukasmasuch]

nit: Do you know if this is actually required? I think it is used as default if ast is set to true:

https://github.com/vega/vega-embed/blob/88fb1224cbb2e51644849a20f1e7ba629629bab9/src/embed.ts#L378

But there is most likely no harm in explicitly specifying this.

[mayagbarnes]

Agreed it looks like its passed as the default, just thought it would be more straightforward to understand if it was explicitly passed to expr:

[lukasmasuch]

Overall looks good 👍 We somehow need to figure out if there is a good way to test this. Maybe we can bring this up as a discussion topic in the next standup to discuss some of the options.

[kmcgrady]

Vega is BSD 3-Clause so I approve this dependency change