📄 openmetadata-ui/src/main/resources/ui/src/components/BlockEditor/TableMenu/TableMenu.tsx:122-128
Lines 122-125 resolve referenceElement by calling target.closest(TABLE_CELL_SELECTOR) then target.closest(TABLE_WRAPPER_SELECTOR). However, getReferenceRect (line 85-101) performs the exact same .closest() chain internally. Since referenceElement is already resolved to a td/th or .tableWrapper, the lookups inside getReferenceRect are redundant (they'll just return self).

This isn't a bug—closest() matches the element itself—but it's unnecessary work on every tippy repositioning call. Consider either:

• Passing the resolved element directly to getBoundingClientRect() (skipping getReferenceRect), or
• Keeping only the getReferenceRect(target) call but wrapping it in the arrow function (which is the actual fix for dynamic repositioning).

📄 openmetadata-ui/src/main/resources/ui/src/components/BlockEditor/TableMenu/TableMenu.test.tsx:154-160
The test file contains unresolved git merge conflict markers (<<<<<<< HEAD, =======, >>>>>>> a8a1ed21e2) at lines 154-160. This will cause the test file to fail to parse and all tests in this file will be broken. The conflict appears to be between two approaches for mocking getBoundingClientRect: the direct assignment (jest.fn()) vs. the mockBoundingClientRect helper using Object.defineProperty.

This must be resolved before merging.

📄 openmetadata-ui/src/main/resources/ui/index.html:29 📄 openmetadata-ui/src/main/resources/ui/index.html:92 📄 openmetadata-ui/src/main/resources/ui/index.html:105
All three <script> tags had their nonce="${cspNonce}" attribute removed. CSP nonces are a critical defense-in-depth mechanism that allows only server-authorized inline scripts to execute. Without them, if the application has a Content-Security-Policy header that relies on nonces (which is the standard pattern when ${cspNonce} is templated server-side), these scripts will either:

1. Break entirely if CSP is enforced — the browser will refuse to run unnonce'd inline scripts.
2. Weaken security if CSP is loosened to compensate (e.g., adding 'unsafe-inline') — any injected script on the page would also be allowed to run, defeating XSS protection.

This change appears unrelated to the stated goal of fixing table text selection styling and menu anchoring. The commit message says "drop unintended ui index.html change" but the file is still modified in the final diff.

📄 openmetadata-ui/src/main/resources/ui/index.html:109-119
The Google Tag Manager initialization was rewritten from a safe document.createElement('script') + src pattern to assigning a string of JavaScript to gtmTagScript.innerHTML and appending it. While the content is static and not user-controlled, this pattern:

1. Is flagged by many security scanners and CSP policies ('unsafe-inline' would be required).
2. Is a regression from the previous approach which set .src to load GTM externally — a cleaner and more CSP-friendly pattern.
3. The previous code also correctly set the nonce on the dynamically created script (gtmScript.setAttribute('nonce', ...)), which this version loses.

Note: scripts injected via innerHTML on a <script> element that is then appended to the DOM do not execute in modern browsers. The innerHTML-assigned script content is typically ignored. The previous document.createElement('script') + .src approach was correct.