From 999ef75e664e51c9bc8b4fb783c0c42e36980a2a Mon Sep 17 00:00:00 2001 From: universe-ops <177390656+universe-ops@users.noreply.github.com> Date: Mon, 22 Jun 2026 17:45:31 +0300 Subject: [PATCH] docs: load mermaid from jsdelivr so the CSP allows it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up to the startOnLoad fix (#338): diagrams still didn't render live. The docs site's Content-Security-Policy permits script-src from cdn.jsdelivr.net but NOT unpkg.com, and the mermaid2 plugin defaults to unpkg — so the library load was CSP-blocked and the page showed raw `graph TB ...` text. Point the plugin's `javascript:` at jsdelivr. The .esm bundle lazy-loads its chunks via relative URLs, so they resolve on jsdelivr too (also CSP-allowed). Verified by serving the built site with the production CSP header and rendering headless: the mermaid div now draws an . Co-Authored-By: Claude Opus 4.8 (1M context) Signed-off-by: Ilya Sadykov <177390656+universe-ops@users.noreply.github.com> --- docs/mkdocs.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index c984cf4b..c5b4c3d3 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -116,6 +116,12 @@ plugins: - search - mermaid2: version: 10.6.1 + # Load Mermaid from jsdelivr, not the plugin's default unpkg.com. The + # docs site's Content-Security-Policy allows script-src from + # cdn.jsdelivr.net but NOT unpkg.com, so the default URL was blocked and + # no diagram rendered. The .esm bundle lazy-loads its chunks relatively, + # so they resolve on jsdelivr too (also CSP-allowed). + javascript: https://cdn.jsdelivr.net/npm/mermaid@10.6.1/dist/mermaid.esm.min.mjs arguments: # startOnLoad MUST be set: supplying a custom `arguments` block # overrides the plugin's defaults (which include it), and Mermaid v10's