Skip to content

Add strict CSP mode with opt-in inline style removal #412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add strict CSP mode with opt-in inline style removal #412

wants to merge 1 commit into from

Conversation

@ndbroadbent
Copy link

@ndbroadbent ndbroadbent commented Oct 2, 2025
edited
Loading

It also required this PR for goober which was merged and is now available in 2.1.17: cristianbote/goober#612

This PR adds optional strict Content Security Policy (CSP) support to react-hot-toast, making it compatible with CSP policies that disallow inline styles.

Changes

  • New strictCSP prop: Opt-in mode that removes all inline styles for CSP compliance
  • Backward compatible: Default behavior unchanged - existing code works without modifications
  • CSS variable theming: Added CSS variables for styling toast types in strict CSP mode
  • Static CSS animations: Replaced dynamic keyframes() calls with static @keyframes CSS - cleaner, more performant, and CSP-compatible. NOTE: This change applies to both mode since it works either way.
  • Nonce support: Leverages goober's CSP nonce support released in 2.1.17

API

// Default mode (unchanged behavior)
<Toaster
  toastOptions={{
    style: { background: 'red' }, // inline styles work
  }}
/>

// Strict CSP mode (opt-in)
<Toaster
  strictCSP={true}
  toastOptions={{
    className: 'my-toast', // use CSS classes instead
  }}
/>

CSS Variables (Strict CSP Mode)

:root {
  --rht-success-bg: #ecfdf5;
  --rht-success-fg: #065f46;
  --rht-error-bg: #fef2f2;
  --rht-error-fg: #991b1b;
  --rht-loading-bg: #eff6ff;
  --rht-loading-fg: #1e40af;
  --rht-blank-bg: #fff;
  --rht-blank-fg: #363636;
}

Why?

Inline style attributes cannot be secured with CSP nonces - they require 'unsafe-inline' which defeats the purpose of CSP. This PR provides a path for applications with strict CSP requirements while maintaining full backward compatibility.

Implementation

  • Default mode: Uses inline styles for positioning and theming (original behavior)
  • Strict CSP mode: Uses CSS flexbox for positioning, CSS variables for theming, and CSS classes for all styling

Documentation

  • Updated README with CSP section
  • Updated docs site with strict CSP mode examples
  • Added migration guide for users who need CSP compliance

Backward Compatibility

✅ Fully backward compatible - no breaking changes. Strict CSP mode is opt-in via strictCSP={true} prop.

@vercel
Copy link

vercel bot commented Oct 2, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
react-hot-toast Error Error Oct 2, 2025 2:17pm

This was referenced Oct 2, 2025
Open
Merged
@ndbroadbent ndbroadbent force-pushed the fix/csp-inline-styles branch from ee4dde0 to 73218ae Compare October 2, 2025 14:17
@ndbroadbent ndbroadbent force-pushed the fix/csp-inline-styles branch from 73218ae to 966490e Compare October 2, 2025 14:45
@vercel
Copy link

vercel bot commented Oct 2, 2025

@ndbroadbent is attempting to deploy a commit to the timo's Team Team on Vercel.

A member of the Team first needs to authorize it.

@ndbroadbent ndbroadbent force-pushed the fix/csp-inline-styles branch 3 times, most recently from eb0fcee to 51693de Compare October 3, 2025 03:57
@ndbroadbent
Added strictCSP mode that avoids all inline styles and uses CSS vars …
1704ef1 
…for styling. Replaced JS-based animations with CSS keyframes
@ndbroadbent ndbroadbent force-pushed the fix/csp-inline-styles branch from 51693de to 1704ef1 Compare October 3, 2025 20:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Strict CSP and nonce

1 participant

@ndbroadbent