rc-util's getScrollBarSize Does Not Respect ConfigProvider's csp.nonce, Causing CSP Violations

[F4r4m4rz]

The getScrollBarSize function in rc-util dynamically injects CSS using updateCSS for measuring scrollbar size. However, it does not respect the nonce value provided via the ConfigProvider's csp property. This leads to CSP violations in environments with strict style-src policies.

---

Steps to Reproduce

1. Set up a project using antd with a ConfigProvider configured to include a nonce value:

   <ConfigProvider
     csp={{
       nonce: 'test-nonce',
     }}
   >

2. Use a component that indirectly triggers the getScrollBarSize function (i.e. Table from rc-table)
3. Observe CSP violations in the browser console, such as:

   Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-test-nonce'".
   

---

Expected Behavior

The getScrollBarSize function should respect the configured nonce by passing it to the updateCSS function when dynamically injecting styles.

---

Affected Code

The relevant part of the getScrollBarSize.tsx, line 49:

updateCSS(
  `
#${randomId}::-webkit-scrollbar {
${widthStyle}
${heightStyle}
}`,
randomId,
);

---

Additional info

This issue was first introduced in the following commit: Commit Hash: e96b0c6

[mrukas]

Yeah this is also a problem for us.

[ytytsophia]

+1