Open WoetDev opened 1 month ago
Looking further into this because it's also causing issues for me.
% npm ls react-style-singleton
portal
├─┬ @radix-ui/react-dialog@1.1.1
│ └─┬ react-remove-scroll@2.5.7
│ ├─┬ react-remove-scroll-bar@2.3.6
│ │ └── react-style-singleton@2.2.1 deduped
│ └── react-style-singleton@2.2.1
└─┬ cmdk@0.2.1
└─┬ @radix-ui/react-dialog@1.0.0
└─┬ react-remove-scroll@2.5.4
└── react-style-singleton@2.2.1 deduped
It appears that this is a dependency on react-remove-scroll. I think these are related.
Describe the bug
Certain components don't work when unsafe-inline is not defined in the CSP, a security incompatibility that should be resolved so shadcn can also be used by development teams under strict security requirements. I hope the shadcn team also takes security seriously and wants to support this 🙏
If CSS can be injected by an attack, it can aid in social engineering attacks by confusing the target users.
Seems to be a problem with Toast as well as the third-part library Sonner: https://github.com/emilkowalski/sonner/issues/449
This issue seems to remain closed even after requesting it to be re-opened: https://github.com/shadcn-ui/ui/issues/2891
Affected component/components
Toast, Sonner, Tabs, Dialog, Sheet, Command
How to reproduce
Use any CSP with the
style-src
directive set to anything other thanunsafe-inline
.Codesandbox/StackBlitz link
No response
Logs
System Info
Before submitting