From 58f38a887eea564b36ab5ae5edc39ff8ff31ccf4 Mon Sep 17 00:00:00 2001
From: Zhihe Li <zhihe.li@hashicorp.com>
Date: Wed, 22 Apr 2026 10:54:22 -0400
Subject: [PATCH] =?UTF-8?q?feat:=20=F0=9F=8E=B8=20Add=20CSP=20nonce=20to?=
 =?UTF-8?q?=20code=20editors?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../form/field/json-secret/index.hbs          |  1 +
 .../form/role/edit-grants/index.hbs           |  1 +
 .../worker-filter-generator/index.hbs         |  1 +
 ui/admin/app/helpers/csp-nonce.js             | 20 +++++++++++++++++++
 ui/admin/app/index.html                       |  1 +
 5 files changed, 24 insertions(+)
 create mode 100644 ui/admin/app/helpers/csp-nonce.js

diff --git a/ui/admin/app/components/form/field/json-secret/index.hbs b/ui/admin/app/components/form/field/json-secret/index.hbs
index 3acfb862ef..b4ac752638 100644
--- a/ui/admin/app/components/form/field/json-secret/index.hbs
+++ b/ui/admin/app/components/form/field/json-secret/index.hbs
@@ -27,6 +27,7 @@
       @isLintingEnabled={{true}}
       @language='json'
       @onInput={{@onInput}}
+      @cspNonce={{(csp-nonce)}}
       data-test-code-editor
     />
   {{/if}}
diff --git a/ui/admin/app/components/form/role/edit-grants/index.hbs b/ui/admin/app/components/form/role/edit-grants/index.hbs
index 4e8273374a..0ccea87b97 100644
--- a/ui/admin/app/components/form/role/edit-grants/index.hbs
+++ b/ui/admin/app/components/form/role/edit-grants/index.hbs
@@ -23,6 +23,7 @@
         @value={{this.grantStringsText}}
         @onInput={{this.onInput}}
         @customExtensions={{this.customExtensions}}
+        @cspNonce={{(csp-nonce)}}
         data-test-code-editor
         as |CE|
       >
diff --git a/ui/admin/app/components/worker-filter-generator/index.hbs b/ui/admin/app/components/worker-filter-generator/index.hbs
index 232432cdad..98fb98ab3a 100644
--- a/ui/admin/app/components/worker-filter-generator/index.hbs
+++ b/ui/admin/app/components/worker-filter-generator/index.hbs
@@ -11,6 +11,7 @@
       @language='shell'
       @value={{or (get @model @name) ''}}
       @onInput={{fn this.setWorkerFilter @model @name}}
+      @cspNonce={{(csp-nonce)}}
       data-test-code-editor
     />
   </F.Control>
diff --git a/ui/admin/app/helpers/csp-nonce.js b/ui/admin/app/helpers/csp-nonce.js
new file mode 100644
index 0000000000..742b7e4cc7
--- /dev/null
+++ b/ui/admin/app/helpers/csp-nonce.js
@@ -0,0 +1,20 @@
+/**
+ * Copyright IBM Corp. 2021, 2026
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Helper from '@ember/component/helper';
+
+/**
+ * Returns the CSP style-src nonce from the document's head metadata.
+ */
+export default class CspNonceHelper extends Helper {
+  compute() {
+    return (
+      document
+        ?.querySelector('meta[name="csp-nonce"]')
+        ?.getAttribute('content')
+        ?.trim() ?? ''
+    );
+  }
+}
diff --git a/ui/admin/app/index.html b/ui/admin/app/index.html
index c33b29bbee..dc48df89a6 100644
--- a/ui/admin/app/index.html
+++ b/ui/admin/app/index.html
@@ -6,6 +6,7 @@
 <!DOCTYPE html>
 <html>
   <head>
+    <meta name="csp-nonce" content="__BOUNDARY_CSP_NONCE__">
     <meta charset="utf-8">
     <title>Admin</title>
     <meta name="description" content="Simple and secure remote access with HashiCorp Boundary.">