Force HTTPS for mermaidjs to play well with CSP (!1350) · Merge requests · GitLab.org / GitLab Docs

Achilleas Pipinellis requested to merge mermaidjs-https into master Nov 24, 2020

Now that CSP is in place, review apps pages that contain any Mermaid diagrams fail with:

mermaid-v1.js:9 Refused to load the script 'http://cdnjs.cloudflare.com/ajax/libs/mermaid/8.8.0/mermaid.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

This MR fixes that by forcing HTTPS for mermaid.js.

Force HTTPS for mermaidjs to play well with CSP

Merge request reports