diff --git a/api/src/Header/ContentSecurityPolicy.php b/api/src/Header/ContentSecurityPolicy.php
index b145e69a83..50ca21cb86 100644
--- a/api/src/Header/ContentSecurityPolicy.php
+++ b/api/src/Header/ContentSecurityPolicy.php
@@ -42,7 +42,7 @@ class ContentSecurityPolicy
 		'manifest-src'=> ["'self'"],
 		'frame-ancestors' => ["'self'"],	// does not allow to frame (embed in frameset) other then self / clickjacking protection
 		'media-src'   => ["data:"],
-		'img-src'     => ["data:", "https:"],
+		'img-src'     => ["data:", "https:", "blob:"],
 		'default-src' => ["'none'"],	// disallows all not explicit set sources!
 	);