feat: add nonce prop for CSP-compliant user-select style injection

[STRML]

Summary

The user-select hack injects a <style> element into the document <head> on drag start (enableUserSelectHack, on by default). Under a strict Content Security Policy that omits 'unsafe-inline' from style-src, the browser blocks that element and logs a violation.

This was raised in #791 and the follow-up comment 4743333644. The workaround offered there (pre-inject the element server-side) is awkward for client-only apps, which is the gap this closes.

This PR adds first-class CSP support:

• New optional nonce?: string prop on DraggableCore. It's inherited by Draggable (which spreads undestructured props through) and flows to addUserSelectStyles, which applies it via setAttribute('nonce', ...).
• When no nonce is passed, fall back to webpack's __webpack_nonce__ global when defined — read behind a typeof guard so non-webpack bundlers don't throw. This is the same convention styled-components / emotion use, and means most webpack users need zero config.
• The nonce is applied only when the element is first created, preserving the existing skip-if-already-present behavior.
• README documents the prop, the __webpack_nonce__ fallback, and enableUserSelectHack={false} as a no-prop opt-out.

Because react-resizable already spreads draggableOpts onto DraggableCore, its users get this for free via draggableOpts={{ nonce }} once this ships — no change needed there.

Test plan

• yarn typecheck — clean
• yarn lint — clean
• yarn test — 204 passing, including 7 new tests:
  • addUserSelectStyles: no nonce by default, explicit nonce applied, not retroactively applied to an existing element, __webpack_nonce__ fallback, explicit-over-global precedence
  • DraggableCore: nonce reaches the injected element on a real drag start
• yarn build — generated cjs/umd preserve the typeof __webpack_nonce__ reference (not mangled by esbuild) and public .d.ts exposes nonce?: string

Closes #791

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 187ac825-8e3f-4fc0-bb44-ce691db34e70

📥 Commits

Reviewing files that changed from the base of the PR and between 721287a and 9da7914.

📒 Files selected for processing (5)

• README.md
• lib/DraggableCore.tsx
• lib/utils/domFns.ts
• test/DraggableCore.test.jsx
• test/utils/domFns.extra.test.js

 __________________________________
< Pretty fly for a code review AI. >
 ----------------------------------
  \
   \   (\__/)
       (•ㅅ•)
       / 　 づ

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/csp-nonce

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}