mermaid: allow data URI images in chat/preview CSP

[Copilot]

Mermaid C4 diagrams in chat could render with missing icons (for example, the person icon in the attached repro) because image data URIs were blocked by the webview CSP fallback to default-src 'none'. Markdown preview worked because it already allows image sources explicitly.

• What changed

  • Added an explicit img-src data: directive to Mermaid webview CSP in:
    • extensions/mermaid-markdown-features/src/chatOutputRenderer.ts
    • extensions/mermaid-markdown-features/src/editorManager.ts

• Security posture

  • Kept default-src 'none' and existing script/style/font restrictions unchanged.
  • Relaxed only image loading for trusted in-document data: images emitted by Mermaid rendering.

<!-- before -->
<meta http-equiv="Content-Security-Policy"
      content="default-src 'none'; script-src 'nonce-${nonce}'; style-src ${cspSource} 'unsafe-inline'; font-src data:;" />

<!-- after -->
<meta http-equiv="Content-Security-Policy"
      content="default-src 'none'; img-src data:; script-src 'nonce-${nonce}'; style-src ${cspSource} 'unsafe-inline'; font-src data:;" />

[Copilot]

Pull request overview

This PR fixes missing icons in Mermaid C4 diagrams rendered in chat (and aligns editor preview behavior) by allowing data: image sources in the webview Content Security Policy, while keeping the overall CSP restrictive (default-src 'none').

Changes:

• Add img-src data: to the Mermaid chat output renderer webview CSP.
• Add img-src data: to the Mermaid editor preview webview CSP.

Show a summary per file

File	Description
extensions/mermaid-markdown-features/src/editorManager.ts	Allows data: images in the editor preview webview CSP so Mermaid-emitted data URI icons can render.
extensions/mermaid-markdown-features/src/chatOutputRenderer.ts	Allows data: images in the chat renderer webview CSP to fix missing C4/person icons in chat output.

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 0