Skip to content

feat: support CSP by adding optional nonce #2501

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: support CSP by adding optional nonce #2501

wants to merge 2 commits into from

Conversation

furisake
Copy link

@furisake furisake commented Aug 18, 2025
edited by pr-codex bot
Loading

Overview

  • This adds support for Content Security Policy (CSP) by optionally attaching a nonce to <style> tags.
  • This change is does not break any existing code.

Why

  • To support strict CSP configurations where style-src requires a per-response nonce instead of 'unsafe-inline'.

Related Issues:

Changes

Usage

You can now optionally pass a nonce prop to RainbowKitProvider:

- <RainbowKitProvider>
+ <RainbowKitProvider nonce={nonce}>
  ...
  </RainbowKitProvider>

Note

The nonce must be generated per HTTP response by your server (do not hard-code).
See Next.js CSP guide for an example.

PR-Codex overview

This PR introduces support for Content Security Policy (CSP) by adding an optional nonce parameter to various modal components in the rainbowkit package, enhancing security for inline styles.

Detailed summary

  • Updated package.json to include get-nonce dependency.
  • Added nonce prop to AccountModal, ChainModal, RainbowKitProvider, ModalProvider, Dialog, and ConnectModal.
  • Integrated setNonce function from get-nonce in Dialog component.
  • Updated change log with CSP support details.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

@furisake furisake requested a review from a team as a code owner August 18, 2025 06:17
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Aug 18, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 0ca137d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 19 packages
Name Type
@rainbow-me/rainbowkit Minor
example Patch
@rainbow-me/rainbow-button Patch
@rainbow-me/rainbowkit-siwe-next-auth Major
rainbowkit-next-app Patch
site Patch
with-create-react-app Patch
with-next-app-i18n Patch
with-next-app Patch
with-next-custom-button Patch
with-next-mint-nft Patch
with-next-siwe-iron-session Patch
with-next-siwe-next-auth Patch
with-next-wallet-button Patch
with-next Patch
with-react-router Patch
with-remix Patch
with-vite Patch
with-next-rainbow-button Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel Vercel
Copy link

vercel bot commented Aug 18, 2025

@furisake is attempting to deploy a commit to the rainbowdotme Team on Vercel.

A member of the Team first needs to authorize it.

@ga-reth
Copy link

ga-reth commented Sep 2, 2025

@DanielSinclair hey, any chance this could be reviewed/merged? would be great to see this in prod!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@furisake @ga-reth