Hi @Anonymous, and welcome aboard!
Hopefully the following can provide some clarification on your questions:
- Not really, as it's client-side code.
- The SDK will compile TypeScript to JavaScript and then minify it as part of the package process.
- This will look quite different to your original code and will be a headache for someone to figure out, but it's technically possible.
- I'm not sure if you've seen it but you can open the .pbiviz file with a compressed file utility such as 7Zip and inspect the contents to see how the code is prepared and decide if this is adequate for your needs or not.
- Not to my knowledge.
- It's actually pretty hard in general to find out how to handle licensing for any client-side JS-based solution, presumably as many commercial vendors might not be keen to divulge it. The most insightful analysis I've seen on the subject is this Stack Overflow question.
- I personally don't charge for my work and open-source my visuals so anything I can add below is speculative, but those of us that know custom visuals are spread pretty thinly across the forums, and I'm not sure many commercial vendors (who could offer insight) are active here in a community support capacity.
- From cursory analysis of a few Power Visuals in terms of "are they phoning home?" most vendors aren't doing this, mainly because if they want to be certified visuals, they aren't permitted by MS to access external services.
- These likely use use encryption local to the visual for key validation, but handle the issuance of a valid key through their site's purchase process that uses the same algorithm to ensure vendor, duration etc. are correct, without any server-side validation through the visual itself, and possibly take the hit on anyone who figures out such an algorithm (but won't offer support to them as they won't have their key on file).
- Your best bet here would be to either reach out to a commercial vendor and see if they will be prepatred to divulge this, or to contact the visuals team directly at pbicvsupport@microsoft.com to see if they can offer you any assistance directly.
- Sort of.
- Custom visuals are sandboxed from the main window, so they don't have a domain. Cookies aren't permitted either. The only active permission on the iframe is allow-scripts.
- You can call external APIs if their CORS configuration allows access from any domain, so your mileage may vary if you're calling third-party services as some allow this and some don't.
- If you're crafting your own, API, I'd suggest having a CORS configuration of Access-Control-Allow-Origin: * server-side and then having a property in your visual to store/use an access token so that you can implement some kind of access management or rate-limiting server-side (similar to the "assumed license key" approach above).
Hopefully this provides some clarification but as mentioned higher-up, if you have really detailed specifics, it's probably better to email MS directly at pbicvsupport@microsoft.com, particularly around commercial elements.
Anyway, I hope some of this helps you out, and good luck on your journey!
Daniel