fix: scrollbar measurement missing CSP nonce when creating <style>

[danielthegray]

The CSP needs to be passed in by the calling component (via the ConfigContext or ConfigProvider), but these utility methods need to have a way to pass in this value, to be used when cloning the <style> element and calling updateCSS().

I tried to add this in a way that would not break any of the callers.

Summary by CodeRabbit

• 改进
  • 增强对 Content Security Policy (CSP) nonce 的支持：动态注入的滚动条样式现在可在启用 CSP nonce 的环境中正确应用，保持向后兼容，现有集成无需修改。
• 测试
  • 新增单元测试以验证 CSP nonce 在动态样式注入时被正确传递和使用。

[vercel]

@danielthegray is attempting to deploy a commit to the React Component Team on Vercel.

A member of the Team first needs to authorize it.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a Content Security Policy (CSP) compliance issue by integrating nonce support into the scrollbar measurement utility. It ensures that when the component dynamically creates <style> elements to determine scrollbar dimensions, these elements can be properly whitelisted by the page's CSP, preventing security violations and maintaining functionality in secure environments.

Highlights

• CSP Nonce Support: Introduced an optional csp parameter to measureScrollbarSize and getTargetScrollBarSize functions to allow passing a Content Security Policy (CSP) nonce. This ensures that dynamically created <style> elements for scrollbar measurement can include the necessary nonce attribute for CSP compliance.
• Parameter Propagation: Modified the getTargetScrollBarSize function to propagate the csp parameter to the measureScrollbarSize function, ensuring the nonce is available throughout the scrollbar measurement process.
• Dynamic Style Update: Updated the internal call to updateCSS within measureScrollbarSize to accept and utilize the provided csp object, enabling the nonce to be applied to the dynamically generated <style> element.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 349767fb-adc3-4015-9992-1a1d6769d2f3

📥 Commits

Reviewing files that changed from the base of the PR and between aff757c and b3cf67b.

📒 Files selected for processing (1)

• tests/getScrollBarSize.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/getScrollBarSize.test.ts

---

Walkthrough

扩展了滚动条测量函数以接受可选的 CSP 配置对象（含 nonce），并将该配置透传给用于注入 ::-webkit-scrollbar 样式的 updateCSS；新增单元测试验证 nonce 被正确传递。

Changes

Cohort / File(s)	Summary
滚动条测量逻辑 src/getScrollBarSize.tsx	为内部 measureScrollbarSize 和导出 getTargetScrollBarSize 添加可选参数 csp?: { nonce?: string }，并在注入 ::-webkit-scrollbar CSS 时将该 csp 透传给 updateCSS。
测试覆盖 tests/getScrollBarSize.test.ts	新增测试用例，spy updateCSS 并断言调用时包含 { csp: { nonce } } 选项；包含目标元素创建与清理。

Sequence Diagram(s)

(无)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• rc-util's getScrollBarSize Does Not Respect ConfigProvider's csp.nonce, Causing CSP Violations #613：该 issue 报告未将 csp.nonce 传入滚动条样式注入逻辑，本 PR 将 csp 透传至 updateCSS，直接对应该目标。

诗

🐰 我在草丛里敲敲键，
给样式戴上安全的帽，
一个 nonce 轻轻跳入舞蹈，
滚动条也放心地转绕，
小改动，安心着跑。

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	标题清晰准确地概括了变更的主要目的：为滚动条测量函数添加 CSP nonce 支持，以修复创建 style 标签时缺失 CSP nonce 的问题。

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces Content Security Policy (CSP) support, specifically for nonce attributes, to the scrollbar size measurement functions (measureScrollbarSize and getTargetScrollBarSize). This involves passing a csp object to ensure dynamically created <style> elements comply with CSP. The primary feedback is that the new csp functionality lacks test coverage, and a unit test is requested to verify the correct application of the nonce to the created <style> element.

[coderabbitai]

🧹 Nitpick comments (1)

tests/getScrollBarSize.test.ts (1)

51-71: 测试清理逻辑建议改进

当前的清理代码（mockRestore() 和 removeChild()）位于测试末尾，如果断言失败，这些清理操作将不会执行，可能影响后续测试的隔离性。

建议使用 try/finally 或将清理逻辑移至 afterEach 钩子中以确保资源始终被释放。

♻️ 建议的改进方案

     it('should pass csp nonce to updateCSS', () => {
       const updateCSSSpy = jest.spyOn(
         require('../src/Dom/dynamicCSS'),
         'updateCSS',
       );

       const target = document.createElement('div');
       document.body.appendChild(target);

-      const nonce = 'test-nonce-123';
-      getTargetScrollBarSize(target, { nonce });
-
-      expect(updateCSSSpy).toHaveBeenCalledWith(
-        expect.any(String),
-        expect.any(String),
-        { csp: { nonce } },
-      );
-
-      updateCSSSpy.mockRestore();
-      document.body.removeChild(target);
+      try {
+        const nonce = 'test-nonce-123';
+        getTargetScrollBarSize(target, { nonce });
+
+        expect(updateCSSSpy).toHaveBeenCalledWith(
+          expect.any(String),
+          expect.any(String),
+          { csp: { nonce } },
+        );
+      } finally {
+        updateCSSSpy.mockRestore();
+        document.body.removeChild(target);
+      }
     });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/getScrollBarSize.test.ts` around lines 51 - 71, Move the test cleanup
into a guaranteed teardown so resources are always released: ensure the spy
created for updateCSS (updateCSSSpy) is restored and the DOM node (target)
appended for getTargetScrollBarSize is removed even if assertions fail by
wrapping the test body in a try/finally that calls updateCSSSpy.mockRestore()
and document.body.removeChild(target), or alternatively register those cleanup
steps in an afterEach hook to restore the spy and remove the target element.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/getScrollBarSize.test.ts`:
- Around line 51-71: Move the test cleanup into a guaranteed teardown so
resources are always released: ensure the spy created for updateCSS
(updateCSSSpy) is restored and the DOM node (target) appended for
getTargetScrollBarSize is removed even if assertions fail by wrapping the test
body in a try/finally that calls updateCSSSpy.mockRestore() and
document.body.removeChild(target), or alternatively register those cleanup steps
in an afterEach hook to restore the spy and remove the target element.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a5723034-4c68-4df5-a8bb-7c837a6ab4ff

📥 Commits

Reviewing files that changed from the base of the PR and between bd4b3a2 and aff757c.

📒 Files selected for processing (1)

• tests/getScrollBarSize.test.ts