Force HTTPS for mermaidjs to play well with CSP
Now that CSP is in place, review apps pages that contain any Mermaid diagrams fail with:
mermaid-v1.js:9 Refused to load the script 'http://cdnjs.cloudflare.com/ajax/libs/mermaid/8.8.0/mermaid.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
This MR fixes that by forcing HTTPS for mermaid.js.