diff --git a/api/src/Header/Content.php b/api/src/Header/Content.php
index 52ef7e5c9e..e9b3bb957c 100644
--- a/api/src/Header/Content.php
+++ b/api/src/Header/Content.php
@@ -84,7 +84,7 @@ class Content
 				UserAgent::type() == 'safari' && UserAgent::mobile() && UserAgent::version() >= 9537)	// iOS 7
 			{
 				// forbid to execute any javascript (to be precise anything but images and styles)
-				ContentSecurityPolicy::header("image-src 'self' data: https:; style-src 'self' 'unsafe-inline' https:; default-src 'none'");
+				ContentSecurityPolicy::header("img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https:; default-src 'none'");
 			}
 			else	// everything else get's a Content-dispostion: attachment, to be on save side
 			{
@@ -165,4 +165,4 @@ class Content
 
 		header('Content-disposition:'.$attachment.' filename="'.Api\Translation::to_ascii($fn).'"; filename*=utf-8\'\''.rawurlencode($fn));
 	}
-}
+}
\ No newline at end of file