Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug]: support nonces for usage of inline CSS required for certain components to work, currently incompatibility when using a Content Security Policy (CSP) that doesn't add unsafe-inline for CSS #4461

Open
2 tasks done
WoetDev opened this issue Jul 30, 2024 · 2 comments
Open
2 tasks done

[bug]: support nonces for usage of inline CSS required for certain components to work, currently incompatibility when using a Content Security Policy (CSP) that doesn't add unsafe-inline for CSS #4461

WoetDev opened this issue Jul 30, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@WoetDev
Copy link

WoetDev commented Jul 30, 2024

Describe the bug

Certain components don't work when unsafe-inline is not defined in the CSP, a security incompatibility that should be resolved so shadcn can also be used by development teams under strict security requirements. I hope the shadcn team also takes security seriously and wants to support this 🙏

If CSS can be injected by an attack, it can aid in social engineering attacks by confusing the target users.

Seems to be a problem with Toast as well as the third-part library Sonner: emilkowalski/sonner#449

This issue seems to remain closed even after requesting it to be re-opened: #2891

Affected component/components

Toast, Sonner, Tabs, Dialog, Sheet, Command

How to reproduce

Use any CSP with the style-src directive set to anything other than unsafe-inline.

Codesandbox/StackBlitz link

No response

Logs

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-xxx'". Either the 'unsafe-inline' keyword, a hash ('sha256-xxxx='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

System Info

Not relevant

Before submitting

  • I've made research efforts and searched the documentation
  • I've searched for existing issues
@WoetDev WoetDev added the bug Something isn't working label Jul 30, 2024
@devnull
Copy link

devnull commented Jul 31, 2024

Looking further into this because it's also causing issues for me.

% npm ls react-style-singleton
portal
├─┬ @radix-ui/[email protected]
│ └─┬ [email protected]
│   ├─┬ [email protected]
│   │ └── [email protected] deduped
│   └── [email protected]
└─┬ [email protected]
  └─┬ @radix-ui/[email protected]
    └─┬ [email protected]
      └── [email protected] deduped

It appears that this is a dependency on react-remove-scroll. I think these are related.

@QiaoLi1996
Copy link

Is this solved? I'm experiencing the same issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@devnull @QiaoLi1996 @WoetDev