I had the same problem and adding the following to the CSP meta-tag in www/index.html fixed it for me (you can remove the ‘*’ if you’re not loading images from external sources, otherwise you’ll probably want to specify the source URLs instead of ‘*’):
img-src 'self' data: *
Just for a reference, here is the whole content of the CSP meta-tag:
<meta http-equiv="Content-Security-Policy" content="default-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *; img-src 'self' data: *">
I cannot guarantee that the meta-tag is safe to use this way. I got it from this article and it’s on my todo-list to further research and tweak it. Here are some links that might be helpful: