### Summary Follow-up from the discussion in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227614#note_3165494090 on MR https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227614 ("Fix mermaid diagram preview in rich text editor"). During review, it was identified that setting `proxiedURLs: null` also does not work. The mermaid diagram preview still fails to render correctly. The current approach in the linked MR is not the right fix, and further discussion is needed to determine what the actual correct solution should be. ### Problem explained by @kivikakk Unfortunately, `null` does not help us if the asset proxy is enabled. If it is, the preview when embedding images in a diagram is this: {width="575" height="386"} https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5544 has details (staff-only link), but tl;dr we use a strict CSP in the Mermaid sandbox to stop accidental or malicious IP exposure when the asset proxy is enabled. By passing `proxiedUrls: null` when previewing, we don't replace any of the images with their asset proxied URLs, so they fail to load due to the CSP. They still load OK on actual render: {width="288" height="181"} (there's a tiny squished cat in there) This isn't so easy to fix. At the moment we're reacting to a watch on `source`, so we don't have any `proxiedUrls` to pass. These URLs can _only_ be generated by the backend by design, since the backend's what's possesses the key for the asset proxy (and we can't give it to the frontend, as that enables abuse of the asset proxy). (A decent solution that occurs to me is that we can disable the CSP only for preview, since the only person being exposed is the author currently previewing (i.e. no exposure at all!), but we'll need take care that this doesn't provide a vector for anything malicious.)