CSP issues for statically built sites #3063
Description
Bug report
The fix chosen to resolve CSP issues does not work in all environments, for example a statically built site. This originates from the react-remove-scroll package.
Current Behavior
When opening a dialog the error is printed to the console:
index-j0ekAU3g.js:444 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-nzTgYzXYDNe6BAHiiI7NNlfK8n/auuOAhh2t92YvuXo='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Expected behavior
No error in the console
Reproducible example
Simply do a production build of a vite site that has a radix dialog and open the dialog. In your html head have this CSP tag:
<meta http-equiv="Content-Security-Policy" content="default-src 'self';"/>Suggested solution
Remove script injection as per #2057 (comment)
Additional context
Your environment
| Software | Name(s) | Version |
|---|---|---|
| Radix Package(s) |
"@radix-ui/react-alert-dialog": "^1.0.5",
"@radix-ui/react-avatar": "^1.0.4",
"@radix-ui/react-checkbox": "^1.0.4",
"@radix-ui/react-dialog": "^1.0.5",
"@radix-ui/react-dropdown-menu": "^2.0.6",
"@radix-ui/react-icons": "^1.3.0",
"@radix-ui/react-label": "^2.0.2",
"@radix-ui/react-navigation-menu": "^1.1.4",
"@radix-ui/react-popover": "^1.1.1",
"@radix-ui/react-progress": "^1.0.3",
"@radix-ui/react-radio-group": "^1.2.0",
"@radix-ui/react-select": "^2.0.0",
"@radix-ui/react-separator": "^1.0.3",
"@radix-ui/react-slot": "^1.0.2",
"@radix-ui/react-switch": "^1.0.3",
"@radix-ui/react-toast": "^1.1.5",
"@radix-ui/react-tooltip": "^1.0.7",
| React | n/a | 18.2 |
| Browser | | Chrome |
| Assistive tech | | n/a |
| Node | n/a | 20 |
| npm/yarn | | yarn |
| Operating System | | Ubuntu |