Chore(config): Add CSP nonce placeholder to Vite configuration

[chirag-madlani]

This pull request introduces a configuration update to the Vite build setup to support Content Security Policy (CSP) nonces. The change allows the Java backend to inject a CSP nonce value at runtime, improving the application's security posture.

Security and configuration improvements:

• Added an html.cspNonce placeholder to the Vite configuration in vite.config.ts, enabling the Java backend to inject a CSP nonce at runtime for enhanced Content Security Policy support.

Describe your changes:

Fixes

I worked on ... because ...

Type of change:

• Bug fix
• Improvement
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

[gitar-bot]

Code Review ✅ Approved

Integrates a CSP nonce placeholder into the Vite configuration to support secure content policies. No issues found.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[Copilot]

Pull request overview

Updates the UI build configuration to support CSP nonces end-to-end by ensuring Vite-generated HTML receives a nonce placeholder that the Java backend can replace at runtime (consistent with the existing ${cspNonce} replacement pattern already used when serving index.html).

Changes:

• Add html.cspNonce to vite.config.ts with a ${cspNonce} placeholder for runtime replacement by the backend.

[github-actions]

Jest test Coverage

UI tests summary

Lines	Statements	Branches	Functions
	61.95% (60279/97287)	41.99% (31619/75292)	45% (9496/21098)

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ui'

Issues
1021 New issues
0 Accepted issues

Measures
15 Security Hotspots
0.0% Coverage on New Code
3.8% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🟡 Playwright Results — all passed (22 flaky)

✅ 3689 passed · ❌ 0 failed · 🟡 22 flaky · ⏭️ 89 skipped

Shard	Passed	Failed	Flaky	Skipped
🟡 Shard 1	479	0	2	4
🟡 Shard 2	651	0	5	7
🟡 Shard 3	660	0	6	1
🟡 Shard 4	645	0	3	27
✅ Shard 5	611	0	0	42
🟡 Shard 6	643	0	6	8

🟡 22 flaky test(s) (passed on retry)

• Features/CustomizeDetailPage.spec.ts › Domain - customization should work (shard 1, 1 retry)
• Pages/AuditLogs.spec.ts › should include filters and search in export request (shard 1, 1 retry)
• Features/BulkEditEntity.spec.ts › Glossary (shard 2, 1 retry)
• Features/DataProductDomainMigration.spec.ts › Data product with no assets can change domain without confirmation (shard 2, 1 retry)
• Features/DataQuality/ColumnLevelTests.spec.ts › Column Value Mean To Be Between (shard 2, 1 retry)
• Features/DataQuality/TestCaseImportExportE2eFlow.spec.ts › Admin: Complete export-import-validate flow (shard 2, 1 retry)
• Features/DataQuality/TestCaseResultPermissions.spec.ts › User with only VIEW cannot PATCH results (shard 2, 1 retry)
• Features/IncidentManager.spec.ts › Next, Previous and page indicator (shard 3, 1 retry)
• Features/RestoreEntityInheritedFields.spec.ts › Validate restore with Inherited domain and data products assigned (shard 3, 1 retry)
• Features/RestoreEntityInheritedFields.spec.ts › Validate restore with Inherited domain and data products assigned (shard 3, 1 retry)
• Features/RTL.spec.ts › Verify Following widget functionality (shard 3, 1 retry)
• Features/UserProfileOnlineStatus.spec.ts › Should show "Active recently" for users active within last hour (shard 3, 1 retry)
• Flow/PersonaFlow.spec.ts › Set default persona for team should work properly (shard 3, 1 retry)
• Pages/Customproperties-part2.spec.ts › entityReferenceList shows item count, scrollable list, no expand toggle (shard 4, 1 retry)
• Pages/DataContracts.spec.ts › Create Data Contract and validate for Worksheet (shard 4, 1 retry)
• Pages/DataProducts.spec.ts › Create Data Product and Manage Assets (shard 4, 2 retries)
• Pages/InputOutputPorts.spec.ts › Output port drawer shows info banner about data product assets (shard 6, 1 retry)
• Pages/Lineage/LineageFilters.spec.ts › Verify lineage schema filter selection (shard 6, 1 retry)
• Pages/Lineage/LineageRightPanel.spec.ts › Verify custom properties tab IS visible for supported type: searchIndex (shard 6, 1 retry)
• Pages/UserDetails.spec.ts › Create team with domain and verify visibility of inherited domain in user profile after team removal (shard 6, 1 retry)
• Pages/Users.spec.ts › Permissions for table details page for Data Consumer (shard 6, 1 retry)
• VersionPages/ServiceEntityVersionPage.spec.ts › Api Service (shard 6, 1 retry)

📦 Download artifacts

How to debug locally

# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip    # view trace