Avoid reaching out to numeric in global namespace in compiled code.

[jwmerrill]

This replaces calls to javascript's Function() with calls to the new numeric.compile(), which is a wrapper that closures in the numeric object so that methods on it can be used inside compiled code. The motivation here is to allow using numeric without globally exporting the numeric symbol.

Done in collaboration with @ehberger.

[Pomax]

Any site with CSP in place to prevent illegal code injection will not allow eval and new Function (they are considered equivalent from a security perspective), so this PR would prevent numeric.js from working for sites that employ CSP.

And, unfortunately, the sites that need CSP the most are sites that deal with user-generated content, such as "notebook" websites where users can write their own numeric programs and run them, or things like jsfiddle/jsbin/codepen/etc.

This patch would make numeric.js unusable on those sites, so I'd strongly advise to find a solution that does not involve Function at all.

[jwmerrill]

@Pomax note that Numeric already uses the Function constructor all over the place, e.g.

numeric/src/numeric.js

Line 332 in f013f23

return Function('x','accum','_s','_k',

so I don't believe this PR would change anything from the perspective of CSP.

[Pomax]

Perhaps not, but it would certainly be another thing to then also rewrite in order to keep numeric.js usable in a CSP enabled web landscape.

[Pomax]

can this PR be closed? it's from quite a few years ago and I can't remove it from my pulls/mentioned even though I would really love to stop seeing it there =)