diff --git a/app.rb b/app.rb
index 16aba785..cbf6e267 100644
--- a/app.rb
+++ b/app.rb
@@ -92,7 +92,7 @@ after do
 end
 
 after do
-  response.headers['Content-Security-Policy'] = %{default-src 'self' 'unsafe-inline'; script-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com; style-src 'self' https://hcaptcha.com, https://*.hcaptcha.com; connect-src 'self' https://hcaptcha.com, https://*.hcaptcha.com https://api.stripe.com; frame-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com}
+  response.headers['Content-Security-Policy'] = %{default-src 'self' data: blob: 'unsafe-inline'; script-src 'self' blob: 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; connect-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://api.stripe.com; frame-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com}
 end
 
 connect-src, https://api.stripe.com, https://maps.googleapis.com