Document that custom emoji bypass the asset proxy
GitLab can be configured to use an asset proxy server when requesting external images/videos/audio in issues and comments. This helps ensure that malicious images do not expose the user’s IP address when they are fetched.
- GitLab support custom emoji: https://docs.gitlab.com/ee/user/emoji_reactions.html#custom-emoji
- Users with the developer role or higher can add them to the group
- The emoji is added by providing a URL: https://docs.gitlab.com/ee/user/emoji_reactions.html#upload-custom-emoji-to-a-group OR https://docs.gitlab.com/ee/api/graphql/custom_emoji.html
- The emoji is loaded directly from that URL. It does not (appear to) use the Asset Proxy
We should document this until the behavior is changed (either by proxying emoji, or by saving emoji to the gitlab instance for local serving).
Example
The "cat typing" emoji is loaded from Slack:
But random images are loaded via the proxy: