### Summary On gitlab.com (SaaS), all Mermaid diagrams in markdown render the fallback "Syntax error in text / mermaid version 11.13.0" bomb icon instead of the rendered SVG. The diagrams themselves are syntactically valid (verified locally with `@mermaid-js/mermaid-cli` v11.15.0 — every block produces a clean SVG). The actual failure is a **Content Security Policy violation that blocks the `mermaid_sandbox` iframe from loading lazy-loaded webpack chunks**. ### Reproduction 1. View any gitlab.com-hosted markdown file containing a mermaid block (any flowchart, sequenceDiagram, etc.). 2. Observe the bomb icon labeled "Syntax error in text" with "mermaid version 11.13.0" instead of the diagram. 3. Open browser DevTools console. ### Browser console output ``` Refused to load https://gitlab.com/assets/webpack/cb9134e6.d8541d49.chunk.js because it does not appear in the script-src directive of the Content Security Policy. Unhandled Promise Rejection: ChunkLoadError: Loading chunk cb9134e6 failed. (error: https://gitlab.com/assets/webpack/cb9134e6.d8541d49.chunk.js) source: mermaid_sandbox.js:31 Refused to load https://gitlab.com/assets/webpack/dd37ce2b.1bd57c7f.chunk.js because it does not appear in the script-src directive of the Content Security Policy. Unhandled Promise Rejection: ChunkLoadError: Loading chunk dd37ce2b failed. ``` Two chunks (`cb9134e6`, `dd37ce2b`) confirmed; likely affects all lazy-loaded chunks the mermaid renderer needs. ### Root cause hypothesis The CSP applied to the `mermaid_sandbox` iframe doesn't include `https://gitlab.com/assets/webpack/*.chunk.js` in its `script-src` directive. When mermaid's runtime lazy-loads its renderer chunks, the browser blocks them; mermaid then falls back to the "Syntax error in text" bomb fallback (which is misleading — there is no syntax error in the source). Likely a regression from a recent CSP tightening that didn't account for mermaid's dynamic chunk-loading code path. ### Scope Reproduced on multiple unrelated documents (flowchart-style and sequenceDiagram-style) in a private group's repos — appears global to gitlab.com SaaS, not document-specific. Same error stamp on every diagram. ### Expected behavior Mermaid diagrams render their corresponding SVG. CSP `script-src` allowlist permits the sandboxed iframe to fetch its `gitlab.com/assets/webpack/*.chunk.js` chunks. ### Workaround None at the user level — the diagram source is valid. Diagrams will render as soon as the CSP allowlist is updated; no doc-side edit can compensate. ### Related - #597837 — *Mermaid sandboxed iframe null origin is incompatible with `Cross-Origin-Resource-Policy: same-site` on self-managed instances*. Same category (sandboxed mermaid iframe resource-loading), distinct mechanism: that issue is CORP on self-managed; this one is CSP `script-src` on SaaS. ### Environment - gitlab.com SaaS, current as of 2026-05-18 - Browsers reproduced: Safari (with Web Inspector showing CSP errors). User also reports the symptom across other browsers (still bomb fallback). - Mermaid version stamped on the bomb fallback: **11.13.0** - Diagrams verified syntactically valid against `@mermaid-js/mermaid-cli` v11.15.0 locally (clean SVG output).