feat: Added strict CSP mode that uses CSS-only

Author: ndbroadbent

README.md

@@ -67,6 +67,48 @@ const App = () => {
 };
 ```
 
+## Content Security Policy (CSP)
+
+react-hot-toast supports strict Content Security Policies through an opt-in strict CSP mode.
+
+### Default Mode
+
+By default, react-hot-toast uses inline styles for maximum flexibility. This requires `style-src 'unsafe-inline'` in your CSP.
+
+### Strict CSP Mode
+
+For applications with strict CSP that disallow inline styles, enable strict CSP mode:
+
+```jsx
+import toast, { Toaster } from 'react-hot-toast';
+
+<Toaster strictCSP={true} />
+```
+
+In strict CSP mode:
+- All inline `style` props are ignored
+- Styling must be done via CSS classes and CSS variables
+- Toast positioning uses CSS flexbox instead of inline transforms
+- Fully compatible with CSP `style-src 'nonce-...'` directives
+
+The library uses [goober](https://github.com/cristianbote/goober) for styling, which supports CSP nonces through multiple methods:
+
+**Using `setNonce()`:**
+```js
+import { setNonce } from 'goober';
+setNonce('your-nonce-here');
+```
+
+**Vite convention:**
+```html
+<meta property="csp-nonce" nonce="your-nonce-here" />
+```
+
+**Webpack convention:**
+Set `window.__webpack_nonce__` in your entry script (see [webpack CSP guide](https://webpack.js.org/guides/csp/)).
+
+Make sure your CSP includes `style-src 'nonce-your-nonce-here'` and `script-src 'nonce-your-nonce-here'`.
+
 ## Documentation
 
 Find the full API reference on [official documentation](https://react-hot-toast.com/docs).

site/pages/docs/styling.mdx

@@ -128,3 +128,41 @@ import { Toaster, ToastBar } from 'react-hot-toast';
   )}
 </Toaster>;
 ```
+
+## Strict CSP Mode
+
+For applications with strict Content Security Policies that disallow inline styles, enable `strictCSP` mode:
+
+```jsx
+<Toaster strictCSP={true} />
+```
+
+In strict CSP mode:
+- All inline `style` props are ignored
+- Styling must be done via CSS classes and CSS variables
+- Toast positioning uses CSS flexbox instead of inline transforms
+- The library is fully compatible with CSP `style-src 'nonce-...'` directives
+
+### Styling with CSS Variables (Strict CSP)
+
+When using strict CSP mode, use CSS variables for theming:
+
+```css
+:root {
+  /* Success toasts */
+  --rht-success-bg: #ecfdf5;
+  --rht-success-fg: #065f46;
+
+  /* Error toasts */
+  --rht-error-bg: #fef2f2;
+  --rht-error-fg: #991b1b;
+
+  /* Loading toasts */
+  --rht-loading-bg: #eff6ff;
+  --rht-loading-fg: #1e40af;
+
+  /* Blank toasts */
+  --rht-blank-bg: #fff;
+  --rht-blank-fg: #363636;
+}
+```

src/components/toast-bar.tsx

@@ -1,23 +1,10 @@
 import * as React from 'react';
-import { styled, keyframes } from 'goober';
+import { styled } from 'goober';
 
 import { Toast, ToastPosition, resolveValue, Renderable } from '../core/types';
 import { ToastIcon } from './toast-icon';
 import { prefersReducedMotion } from '../core/utils';
 
-const enterAnimation = (factor: number) => `
-0% {transform: translate3d(0,${factor * -200}%,0) scale(.6); opacity:.5;}
-100% {transform: translate3d(0,0,0) scale(1); opacity:1;}
-`;
-
-const exitAnimation = (factor: number) => `
-0% {transform: translate3d(0,0,-1px) scale(1); opacity:1;}
-100% {transform: translate3d(0,${factor * -150}%,-1px) scale(.6); opacity:0;}
-`;
-
-const fadeInAnimation = `0%{opacity:0;} 100%{opacity:1;}`;
-const fadeOutAnimation = `0%{opacity:1;} 100%{opacity:0;}`;
-
 // Use :where() for zero specificity - allows Tailwind to override easily
 const ToastBarBase = styled('div')`
   :where(&) {
@@ -33,6 +20,84 @@ const ToastBarBase = styled('div')`
     padding: 8px 10px;
     border-radius: 8px;
   }
+
+  @keyframes rht-enter-from-top {
+    0% { transform: translate3d(0, -200%, 0) scale(.6); opacity: .5; }
+    100% { transform: translate3d(0, 0, 0) scale(1); opacity: 1; }
+  }
+
+  @keyframes rht-enter-from-bottom {
+    0% { transform: translate3d(0, 200%, 0) scale(.6); opacity: .5; }
+    100% { transform: translate3d(0, 0, 0) scale(1); opacity: 1; }
+  }
+
+  @keyframes rht-exit-to-top {
+    0% { transform: translate3d(0, 0, -1px) scale(1); opacity: 1; }
+    100% { transform: translate3d(0, -150%, -1px) scale(.6); opacity: 0; }
+  }
+
+  @keyframes rht-exit-to-bottom {
+    0% { transform: translate3d(0, 0, -1px) scale(1); opacity: 1; }
+    100% { transform: translate3d(0, 150%, -1px) scale(.6); opacity: 0; }
+  }
+
+  @keyframes rht-fade-in {
+    0% { opacity: 0; }
+    100% { opacity: 1; }
+  }
+
+  @keyframes rht-fade-out {
+    0% { opacity: 1; }
+    100% { opacity: 0; }
+  }
+
+  &.rht-enter-from-top {
+    animation: rht-enter-from-top 0.35s cubic-bezier(.21,1.02,.73,1) forwards;
+  }
+
+  &.rht-enter-from-bottom {
+    animation: rht-enter-from-bottom 0.35s cubic-bezier(.21,1.02,.73,1) forwards;
+  }
+
+  &.rht-exit-to-top {
+    animation: rht-exit-to-top 0.4s forwards cubic-bezier(.06,.71,.55,1);
+  }
+
+  &.rht-exit-to-bottom {
+    animation: rht-exit-to-bottom 0.4s forwards cubic-bezier(.06,.71,.55,1);
+  }
+
+  &.rht-fade-in {
+    animation: rht-fade-in 0.35s cubic-bezier(.21,1.02,.73,1) forwards;
+  }
+
+  &.rht-fade-out {
+    animation: rht-fade-out 0.4s forwards cubic-bezier(.06,.71,.55,1);
+  }
+
+  &.rht-invisible {
+    opacity: 0;
+  }
+
+  &.rht-success {
+    background: var(--rht-success-bg, #ecfdf5);
+    color: var(--rht-success-fg, #065f46);
+  }
+
+  &.rht-error {
+    background: var(--rht-error-bg, #fef2f2);
+    color: var(--rht-error-fg, #991b1b);
+  }
+
+  &.rht-loading {
+    background: var(--rht-loading-bg, #fff);
+    color: var(--rht-loading-fg, #363636);
+  }
+
+  &.rht-blank {
+    background: var(--rht-blank-bg, #fff);
+    color: var(--rht-blank-fg, #363636);
+  }
 `;
 
 const Message = styled('div')`
@@ -48,38 +113,43 @@ interface ToastBarProps {
   toast: Toast;
   position?: ToastPosition;
   style?: React.CSSProperties;
+  strictCSP?: boolean;
   children?: (components: {
     icon: Renderable;
     message: Renderable;
   }) => Renderable;
 }
 
-const getAnimationStyle = (
+const getAnimationClass = (
   position: ToastPosition,
-  visible: boolean
-): React.CSSProperties => {
+  visible: boolean,
+  hasHeight: boolean
+): string => {
+  if (!hasHeight) {
+    return 'rht-invisible';
+  }
+
   const top = position.includes('top');
-  const factor = top ? 1 : -1;
+  const reduced = prefersReducedMotion();
 
-  const [enter, exit] = prefersReducedMotion()
-    ? [fadeInAnimation, fadeOutAnimation]
-    : [enterAnimation(factor), exitAnimation(factor)];
+  if (reduced) {
+    return visible ? 'rht-fade-in' : 'rht-fade-out';
+  }
+
+  if (visible) {
+    return top ? 'rht-enter-from-top' : 'rht-enter-from-bottom';
+  }
 
-  return {
-    animation: visible
-      ? `${keyframes(enter)} 0.35s cubic-bezier(.21,1.02,.73,1) forwards`
-      : `${keyframes(exit)} 0.4s forwards cubic-bezier(.06,.71,.55,1)`,
-  };
+  return top ? 'rht-exit-to-top' : 'rht-exit-to-bottom';
 };
 
 export const ToastBar: React.FC<ToastBarProps> = React.memo(
-  ({ toast, position, style, children }) => {
-    const animationStyle: React.CSSProperties = toast.height
-      ? getAnimationStyle(
-          toast.position || position || 'top-center',
-          toast.visible
-        )
-      : { opacity: 0 };
+  ({ toast, position, style, strictCSP, children }) => {
+    const animationClass = getAnimationClass(
+      toast.position || position || 'top-center',
+      toast.visible,
+      !!toast.height
+    );
 
     const icon = <ToastIcon toast={toast} />;
     const message = (
@@ -88,11 +158,18 @@ export const ToastBar: React.FC<ToastBarProps> = React.memo(
       </Message>
     );
 
+    const className = [
+      toast.className,
+      animationClass,
+      toast.type ? `rht-${toast.type}` : null,
+    ]
+      .filter(Boolean)
+      .join(' ');
+
     return (
       <ToastBarBase
-        className={toast.className}
-        style={{
-          ...animationStyle,
+        className={className}
+        style={strictCSP ? undefined : {
           ...style,
           ...toast.style,
         }}

src/components/toaster.tsx

@@ -1,4 +1,4 @@
-import { css, setup } from 'goober';
+import { styled, setup, css } from 'goober';
 import * as React from 'react';
 import {
   resolveValue,
@@ -81,19 +81,106 @@ const activeClass = css`
 `;
 
 const DEFAULT_OFFSET = 16;
+const DEFAULT_GUTTER = 8;
+
+const ToasterContainer = styled('div')`
+  position: fixed;
+  z-index: 9999;
+  top: ${DEFAULT_OFFSET}px;
+  left: ${DEFAULT_OFFSET}px;
+  right: ${DEFAULT_OFFSET}px;
+  bottom: ${DEFAULT_OFFSET}px;
+  pointer-events: none;
+  display: flex;
+  flex-direction: column;
+  gap: ${DEFAULT_GUTTER}px;
+
+  &[data-position="top-left"],
+  &[data-position="top-center"],
+  &[data-position="top-right"] {
+    align-items: flex-start;
+  }
+
+  &[data-position="bottom-left"],
+  &[data-position="bottom-center"],
+  &[data-position="bottom-right"] {
+    align-items: flex-start;
+    flex-direction: column-reverse;
+  }
+
+  &[data-position="top-center"],
+  &[data-position="bottom-center"] {
+    align-items: center;
+  }
+
+  &[data-position="top-right"],
+  &[data-position="bottom-right"] {
+    align-items: flex-end;
+  }
+
+  > * {
+    pointer-events: auto;
+  }
+
+  @media (prefers-reduced-motion: reduce) {
+    * {
+      transition: none !important;
+      animation: none !important;
+    }
+  }
+`;
 
 export const Toaster: React.FC<ToasterProps> = ({
   reverseOrder,
   position = 'top-center',
   toastOptions,
-  gutter,
+  gutter = DEFAULT_GUTTER,
   children,
   toasterId,
   containerStyle,
   containerClassName,
+  strictCSP = false,
 }) => {
   const { toasts, handlers } = useToaster(toastOptions, toasterId);
 
+  // Sort toasts based on reverseOrder
+  const sortedToasts = reverseOrder ? [...toasts].reverse() : toasts;
+
+  // Strict CSP mode: Use styled component with no inline styles
+  if (strictCSP) {
+    return (
+      <ToasterContainer
+        data-rht-toaster={toasterId || ''}
+        data-position={position}
+        className={containerClassName}
+        onMouseEnter={handlers.startPause}
+        onMouseLeave={handlers.endPause}
+      >
+        {sortedToasts.map((t) => {
+          const toastPosition = t.position || position;
+
+          return (
+            <ToastWrapper
+              id={t.id}
+              key={t.id}
+              onHeightUpdate={handlers.updateHeight}
+              className=""
+            >
+              {t.type === 'custom' ? (
+                resolveValue(t.message, t)
+              ) : children ? (
+                children(t)
+              ) : (
+                <ToastBar toast={t} position={toastPosition} strictCSP />
+              )}
+            </ToastWrapper>
+          );
+        })}
+      </ToasterContainer>
+    );
+  }
+
+  // Default mode: Use inline styles for maximum flexibility
   return (
     <div
       data-rht-toaster={toasterId || ''}