Revert "fix: apply StyleProvider nonce to CSS variable styles"

[zombieJ]

Reverts #252

Summary by CodeRabbit

发行说明

• 重构
  • 简化了样式配置处理流程，提升代码维护性。
  • 优化了CSS注入机制的内部实现，使配置流程更加直观高效。

[github-actions]

🎊 PR Preview 4f8f36a has been successfully built and deployed to https://ant-design-cssinjs-preview-pr-254.surge.sh

🕐 Build time: 96.899s

_{🤖 By surge-preview}

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 877ee52d-7896-44ad-bf61-72ed097f5ba6

📥 Commits

Reviewing files that changed from the base of the PR and between 0d105b2 and 4f8f36a.

📒 Files selected for processing (5)

• src/StyleContext.tsx
• src/hooks/useCSSVarRegister.ts
• src/hooks/useCacheToken.tsx
• src/util/index.ts
• tests/index.spec.tsx

---

📝 Walkthrough

高级走查（Walkthrough）

本PR移除了样式上下文中的nonce（内容安全策略）相关功能，包括从StyleContextProps中删除nonce属性、移除mergeCSSConfig工具函数、清理CSS注册和缓存令牌钩子中的nonce处理，并删除相应的测试用例。同时添加了autoPrefix布尔属性。

变更（Changes）

组件 / 文件(s)	变更总结
样式上下文配置 src/StyleContext.tsx	移除了nonce属性（nonce?: string | (() => string)）；添加了新的autoPrefix?: boolean属性用于样式前缀配置。
工具函数移除 src/util/index.ts	删除了导出的mergeCSSConfig函数（之前用于将CSP nonce条件性地添加到CSS注入配置中）。
CSS变量注册钩子 src/hooks/useCSSVarRegister.ts	移除了mergeCSSConfig的使用；用直接配置对象替代，移除了nonce从StyleContext的提取。
缓存令牌钩子 src/hooks/useCacheToken.tsx	移除了mergeCSSConfig导入和使用；用直接内联配置对象替代，移除了nonce从StyleContext的提取。
测试清理 tests/index.spec.tsx	删除了"StyleProvider nonce for CSS var"整个测试块，包括辅助函数testWithStyleProvider和两个测试调用。

代码审查工作量估计

🎯 2 (简单) | ⏱️ ~12 分钟

诗歌

🐰 Nonce再见，autoPrefix来临，
样式配置焕然一新，
mergeCSSConfig已成往事，
清洁代码闪闪发光，
测试也跟随更新步伐！ ✨

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch revert-252-fix/css-var-nonce

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request fully reverts a previous change that introduced Content Security Policy (CSP) nonce support for CSS variable styles. The primary impact is the removal of the nonce configuration option from the styling context and the associated logic that applied it to dynamically injected CSS. This streamlines the styling system by removing a feature that was likely found to be problematic or unnecessary, simplifying the codebase related to CSS variable registration and caching.

Highlights

• Reverted Nonce Support: The nonce property has been removed from the StyleContextProps interface, effectively undoing the mechanism for applying Content Security Policy (CSP) nonces to CSS variable styles.
• Removed Nonce Logic from Hooks: The useCSSVarRegister and useCacheToken hooks no longer consume or apply the nonce property when updating CSS, simplifying their style injection logic.
• Removed Utility Function: The mergeCSSConfig utility function, which was responsible for merging CSS configuration with nonce support, has been removed as it is no longer needed.
• Removed Test Cases: Associated test cases for StyleProvider nonce for CSS var have been removed, reflecting the revert of this functionality.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/StyleContext.tsx
  • Removed the nonce property from the StyleContextProps interface.
• src/hooks/useCSSVarRegister.ts
  • Removed nonce from the StyleContext consumption.
  • Updated updateCSS call to directly use configuration object instead of mergeCSSConfig.
• src/hooks/useCacheToken.tsx
  • Removed nonce from the StyleContext consumption.
  • Updated updateCSS call to directly use configuration object instead of mergeCSSConfig.
• src/util/index.ts
  • Removed the mergeCSSConfig utility function.
• tests/index.spec.tsx
  • Removed the test suite for StyleProvider nonce for CSS var.

Activity

• No specific activity (comments, reviews, or progress updates) has been recorded for this pull request beyond its creation and the provided patch.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.65%. Comparing base (0d105b2) to head (4f8f36a).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #254      +/-   ##
==========================================
- Coverage   94.71%   94.65%   -0.07%     
==========================================
  Files          32       32              
  Lines        2859     2823      -36     
  Branches      453      448       -5     
==========================================
- Hits         2708     2672      -36     
  Misses        151      151              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Code Review

This pull request reverts the changes introduced in ant-design/cssinjs#252, which aimed to apply nonce to CSS variable styles. This revert, while technically clean, introduces a significant security regression by breaking support for strict Content Security Policies. Specifically, it removes the nonce property from StyleContextProps, eliminates the mergeCSSConfig utility, and updates useCSSVarRegister and useCacheToken hooks to no longer handle nonce for CSS variable injection. Furthermore, potential CSS injection vulnerabilities were identified where theme token values are injected into style tags without proper sanitization. It is strongly recommended to restore CSP nonce support and implement robust sanitization for all user-controllable token values.

[gemini-code-assist]

The removal of the nonce property from StyleContextProps is a security regression. This property is essential for applications that implement a strict Content Security Policy (CSP) requiring nonces for inline styles. By removing this property, the library loses the ability to pass nonces to dynamically injected style tags, which will cause them to be blocked by the browser in strict CSP environments. This may force developers to adopt less secure CSP directives like 'unsafe-inline' to maintain functionality.

[gemini-code-assist]

The cssVarsStr variable, which contains CSS variable definitions derived from theme tokens, is passed directly to the updateCSS sink without sanitization. If token values are user-controlled (e.g., in a customizable theme), an attacker can inject arbitrary CSS rules by including characters like ; or } in the token value. This can lead to UI redressing or data exfiltration via CSS-based attacks.

[gemini-code-assist]

Theme token values are injected into the document via updateCSS without sanitization. This allows for CSS injection if the theme tokens or overrides contain malicious content. An attacker could exploit this to manipulate the page's appearance or exfiltrate sensitive information using CSS selectors and external resources.