[bug]: support nonces for usage of inline CSS required for certain components to work, currently incompatibility when using a Content Security Policy (CSP) that doesn't add unsafe-inline for CSS

[WoetDev]

Describe the bug

Certain components don't work when unsafe-inline is not defined in the CSP, a security incompatibility that should be resolved so shadcn can also be used by development teams under strict security requirements. I hope the shadcn team also takes security seriously and wants to support this 🙏

If CSS can be injected by an attack, it can aid in social engineering attacks by confusing the target users.

Seems to be a problem with Toast as well as the third-part library Sonner: emilkowalski/sonner#449

This issue seems to remain closed even after requesting it to be re-opened: #2891

Affected component/components

Toast, Sonner, Tabs, Dialog, Sheet, Command

How to reproduce

Use any CSP with the style-src directive set to anything other than unsafe-inline.

Codesandbox/StackBlitz link

No response

Logs

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-xxx'". Either the 'unsafe-inline' keyword, a hash ('sha256-xxxx='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

System Info

Not relevant

Before submitting

• I've made research efforts and searched the documentation
• I've searched for existing issues

[devnull]

Looking further into this because it's also causing issues for me.

% npm ls react-style-singleton
portal
├─┬ @radix-ui/react-dialog@1.1.1
│ └─┬ react-remove-scroll@2.5.7
│   ├─┬ react-remove-scroll-bar@2.3.6
│   │ └── react-style-singleton@2.2.1 deduped
│   └── react-style-singleton@2.2.1
└─┬ cmdk@0.2.1
  └─┬ @radix-ui/react-dialog@1.0.0
    └─┬ react-remove-scroll@2.5.4
      └── react-style-singleton@2.2.1 deduped

It appears that this is a dependency on react-remove-scroll. I think these are related.

• Violates safe CSPs because of dependency applying style tags theKashey/react-remove-scroll#21
• Modal usage of react-remove-scroll-bar triggers CSP error chakra-ui/chakra-ui#3383

[QiaoLi1996]

Is this solved? I'm experiencing the same issue.

[gregorjohannson]

You should be able to apply the nonce if you call setNonce from the get-nonce utility which was published by the author of react-remove-scroll-bar & react-remove-scroll specifically to get around this error.

E.g:

import {setNonce} from 'get-nonce';
...
setNonce(myNonce); 

[devnull]

get-nonce involves dynamically setting the CSP with the nonce. This is difficult if the infrastructure (e.g. CDN) is decoupled from the app. get-nonce is a poor workaround, and doesn't address the underlying issue.

[shadcn]

Hi. We're closing some old issues as outdated. If this is still relevant, leave a message, we'll reopen it. Thank you. Appreciate your contribution to the project - shadcn

[nicolaspapp]

I'm still facing issues with unsafe inlining on the same components (like the Toaster) that keep breaking even when modifying the generated component.

[Andy6792]

I am also still facing this issue. It's a shame to have to replace some of these components in our web panel.