diff --git a/index.js b/index.js
index ad69aae..4978e01 100644
--- a/index.js
+++ b/index.js
@@ -6,7 +6,7 @@ const {existsSync} = require('fs')
 // Documented at https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Content-Security-Policy
 const defaultCSP = {
   'default-src': [
-    "'none'"
+    "'self'"
   ],
   'script-src': [
     "'self'",
@@ -71,6 +71,7 @@ const defaultCSP = {
   ],
   'media-src': [
     "'self'",
+    "data:",
     "blob:",
     "*.{{base_domain}}",
     "*.amazonaws.com",
diff --git a/index.mock.js b/index.mock.js
index d72a9e9..f5d6302 100644
--- a/index.mock.js
+++ b/index.mock.js
@@ -2,7 +2,7 @@ const {merge, trim, reduce} = require('lodash')
 const {execSync} = require('child_process')
 
 const defaultCSP = {
-  'default-src': ["'none'"],
+  'default-src': ["'self'"],
   'child-src': ["blob:"],
   'script-src': [
     "'self' 'unsafe-inline' 'unsafe-eval'",
@@ -45,7 +45,7 @@ const defaultCSP = {
     "licensing.theoplayer.com",
   ],
   'media-src': [
-    "'self' blob:",
+    "'self' data: blob:",
     "*.{{base_domain}}",
     "*.s3-accelerate.amazonaws.com *.s3.amazonaws.com",
   ],