Mermaid diagram does not render about crates.io HOT 6 CLOSED

hmm, if I understand their docs correctly then strict should be as safe as the sandbox mode, but the sandbox mode would potentially enable a few more features. given all that, I guess strict should work fine for us.

from crates.io.

Refused to frame '' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

I think this might be the relevant error in the dev tools.

To answer your questions: Yes, it is live in production. No, I personally hadn't tested it on production yet. Yes, it is broken... 😅

It looks like the reason why it works in development mode but not production is (yet again) our Content Security Policy header, which is set by nginx, which is not running in frontend development mode 🙈

@ToBinio do you have time to take a look at this? first step would be to try and reproduce this locally, and then find a CSP header that allows the mermaid stuff to render correctly.

from crates.io.

Shure, I can try.
But I will only be able to do something in the evening.

another note:
could it be that because the rendered README's get stored. the old ones like natural-xml-diff don't get mermaid support?
if so, these should probaly get rerendered

from crates.io.

@Turbo87 @ToBinio Thank you for the quick response. Please let me know if I can support you in any way.

from crates.io.

I discovered a new problem... mermaid did not work on my local machine even without the CSP header. Why? firefox...
not sure why but I wasn't able to get the sandbox mode running with Firefox (with Chrome everything was fine)

so I didn't really play around with the CSP header any longer.

a fix for both would be to use strict mode instead of sandbox. this worked with the CSP header and on Firefox

note:
sandbox is still in beta

from crates.io.

Thank you for fixing it! It does render now!

from crates.io.