feat: Added strict CSP mode that uses CSS-only

Author: ndbroadbent

README.md

@@ -67,6 +67,48 @@ const App = () => {
 };
 ```
 
+## Content Security Policy (CSP)
+
+react-hot-toast supports strict Content Security Policies through an opt-in strict CSP mode.
+
+### Default Mode
+
+By default, react-hot-toast uses inline styles for maximum flexibility. This requires `style-src 'unsafe-inline'` in your CSP.
+
+### Strict CSP Mode
+
+For applications with strict CSP that disallow inline styles, enable strict CSP mode:
+
+```jsx
+import toast, { Toaster } from 'react-hot-toast';
+
+<Toaster strictCSP={true} />
+```
+
+In strict CSP mode:
+- All inline `style` props are ignored
+- Styling must be done via CSS classes and CSS variables
+- Toast positioning uses CSS flexbox instead of inline transforms
+- Fully compatible with CSP `style-src 'nonce-...'` directives
+
+The library uses [goober](https://github.com/cristianbote/goober) for styling, which supports CSP nonces through multiple methods:
+
+**Using `setNonce()`:**
+```js
+import { setNonce } from 'goober';
+setNonce('your-nonce-here');
+```
+
+**Vite convention:**
+```html
+<meta property="csp-nonce" nonce="your-nonce-here" />
+```
+
+**Webpack convention:**
+Set `window.__webpack_nonce__` in your entry script (see [webpack CSP guide](https://webpack.js.org/guides/csp/)).
+
+Make sure your CSP includes `style-src 'nonce-your-nonce-here'` and `script-src 'nonce-your-nonce-here'`.
+
 ## Documentation
 
 Find the full API reference on [official documentation](https://react-hot-toast.com/docs).

site/pages/docs/styling.mdx

@@ -128,3 +128,41 @@ import { Toaster, ToastBar } from 'react-hot-toast';
   )}
 </Toaster>;
 ```
+
+## Strict CSP Mode
+
+For applications with strict Content Security Policies that disallow inline styles, enable `strictCSP` mode:
+
+```jsx
+<Toaster strictCSP={true} />
+```
+
+In strict CSP mode:
+- All inline `style` props are ignored
+- Styling must be done via CSS classes and CSS variables
+- Toast positioning uses CSS flexbox instead of inline transforms
+- The library is fully compatible with CSP `style-src 'nonce-...'` directives
+
+### Styling with CSS Variables (Strict CSP)
+
+When using strict CSP mode, use CSS variables for theming:
+
+```css
+:root {
+  /* Success toasts */
+  --rht-success-bg: #ecfdf5;
+  --rht-success-fg: #065f46;
+
+  /* Error toasts */
+  --rht-error-bg: #fef2f2;
+  --rht-error-fg: #991b1b;
+
+  /* Loading toasts */
+  --rht-loading-bg: #eff6ff;
+  --rht-loading-fg: #1e40af;
+
+  /* Blank toasts */
+  --rht-blank-bg: #fff;
+  --rht-blank-fg: #363636;
+}
+```

src/components/toast-bar.tsx

@@ -1,23 +1,10 @@
 import * as React from 'react';
-import { styled, keyframes } from 'goober';
+import { styled } from 'goober';
 
 import { Toast, ToastPosition, resolveValue, Renderable } from '../core/types';
 import { ToastIcon } from './toast-icon';
 import { prefersReducedMotion } from '../core/utils';
 
-const enterAnimation = (factor: number) => `
-0% {transform: translate3d(0,${factor * -200}%,0) scale(.6); opacity:.5;}
-100% {transform: translate3d(0,0,0) scale(1); opacity:1;}
-`;
-
-const exitAnimation = (factor: number) => `
-0% {transform: translate3d(0,0,-1px) scale(1); opacity:1;}
-100% {transform: translate3d(0,${factor * -150}%,-1px) scale(.6); opacity:0;}
-`;
-
-const fadeInAnimation = `0%{opacity:0;} 100%{opacity:1;}`;
-const fadeOutAnimation = `0%{opacity:1;} 100%{opacity:0;}`;
-
 // Use :where() for zero specificity - allows Tailwind to override easily
 const ToastBarBase = styled('div')`
   :where(&) {
@@ -33,6 +20,84 @@ const ToastBarBase = styled('div')`
     padding: 8px 10px;
     border-radius: 8px;
   }
+
+  @keyframes rht-enter-from-top {
+    0% { transform: translate3d(0, -200%, 0) scale(.6); opacity: .5; }
+    100% { transform: translate3d(0, 0, 0) scale(1); opacity: 1; }
+  }
+
+  @keyframes rht-enter-from-bottom {
+    0% { transform: translate3d(0, 200%, 0) scale(.6); opacity: .5; }
+    100% { transform: translate3d(0, 0, 0) scale(1); opacity: 1; }
+  }
+
+  @keyframes rht-exit-to-top {
+    0% { transform: translate3d(0, 0, -1px) scale(1); opacity: 1; }
+    100% { transform: translate3d(0, -150%, -1px) scale(.6); opacity: 0; }
+  }
+
+  @keyframes rht-exit-to-bottom {
+    0% { transform: translate3d(0, 0, -1px) scale(1); opacity: 1; }
+    100% { transform: translate3d(0, 150%, -1px) scale(.6); opacity: 0; }
+  }
+
+  @keyframes rht-fade-in {
+    0% { opacity: 0; }
+    100% { opacity: 1; }
+  }
+
+  @keyframes rht-fade-out {
+    0% { opacity: 1; }
+    100% { opacity: 0; }
+  }
+
+  &.rht-enter-from-top {
+    animation: rht-enter-from-top 0.35s cubic-bezier(.21,1.02,.73,1) forwards;
+  }
+
+  &.rht-enter-from-bottom {
+    animation: rht-enter-from-bottom 0.35s cubic-bezier(.21,1.02,.73,1) forwards;
+  }
+
+  &.rht-exit-to-top {
+    animation: rht-exit-to-top 0.4s forwards cubic-bezier(.06,.71,.55,1);
+  }
+
+  &.rht-exit-to-bottom {
+    animation: rht-exit-to-bottom 0.4s forwards cubic-bezier(.06,.71,.55,1);
+  }
+
+  &.rht-fade-in {
+    animation: rht-fade-in 0.35s cubic-bezier(.21,1.02,.73,1) forwards;
+  }
+
+  &.rht-fade-out {
+    animation: rht-fade-out 0.4s forwards cubic-bezier(.06,.71,.55,1);
+  }
+
+  &.rht-invisible {
+    opacity: 0;
+  }
+
+  &.rht-success {
+    background: var(--rht-success-bg, #ecfdf5);
+    color: var(--rht-success-fg, #065f46);
+  }
+
+  &.rht-error {
+    background: var(--rht-error-bg, #fef2f2);
+    color: var(--rht-error-fg, #991b1b);
+  }
+
+  &.rht-loading {
+    background: var(--rht-loading-bg, #fff);
+    color: var(--rht-loading-fg, #363636);
+  }
+
+  &.rht-blank {
+    background: var(--rht-blank-bg, #fff);
+    color: var(--rht-blank-fg, #363636);
+  }
 `;
 
 const Message = styled('div')`
@@ -54,32 +119,36 @@ interface ToastBarProps {
   }) => Renderable;
 }
 
-const getAnimationStyle = (
+const getAnimationClass = (
   position: ToastPosition,
-  visible: boolean
-): React.CSSProperties => {
+  visible: boolean,
+  hasHeight: boolean
+): string => {
+  if (!hasHeight) {
+    return 'rht-invisible';
+  }
+
   const top = position.includes('top');
-  const factor = top ? 1 : -1;
+  const reduced = prefersReducedMotion();
 
-  const [enter, exit] = prefersReducedMotion()
-    ? [fadeInAnimation, fadeOutAnimation]
-    : [enterAnimation(factor), exitAnimation(factor)];
+  if (reduced) {
+    return visible ? 'rht-fade-in' : 'rht-fade-out';
+  }
+
+  if (visible) {
+    return top ? 'rht-enter-from-top' : 'rht-enter-from-bottom';
+  }
 
-  return {
-    animation: visible
-      ? `${keyframes(enter)} 0.35s cubic-bezier(.21,1.02,.73,1) forwards`
-      : `${keyframes(exit)} 0.4s forwards cubic-bezier(.06,.71,.55,1)`,
-  };
+  return top ? 'rht-exit-to-top' : 'rht-exit-to-bottom';
 };
 
 export const ToastBar: React.FC<ToastBarProps> = React.memo(
   ({ toast, position, style, children }) => {
-    const animationStyle: React.CSSProperties = toast.height
-      ? getAnimationStyle(
-          toast.position || position || 'top-center',
-          toast.visible
-        )
-      : { opacity: 0 };
+    const animationClass = getAnimationClass(
+      toast.position || position || 'top-center',
+      toast.visible,
+      !!toast.height
+    );
 
     const icon = <ToastIcon toast={toast} />;
     const message = (
@@ -88,11 +157,18 @@ export const ToastBar: React.FC<ToastBarProps> = React.memo(
       </Message>
     );
 
+    const className = [
+      toast.className,
+      animationClass,
+      toast.type ? `rht-${toast.type}` : null,
+    ]
+      .filter(Boolean)
+      .join(' ');
+
     return (
       <ToastBarBase
-        className={toast.className}
+        className={className}
         style={{
-          ...animationStyle,
           ...style,
           ...toast.style,
         }}