Content Security Policy warnings when pasting images

[p8]

When I comment out the default CSP (Content Security Policy) in a Rails application,

Rails.application.config.content_security_policy do |policy|
   # ...
   policy.img_src :self, :https, :data
   # ...
end

Pasting an image in the editor results in the following in the browser

Refused to load the image 'blob:<URL>' because it violates the following Content Security Policy directive: "img-src 'self' <URL> <URL> data:". Refused to load the image 'blob:http://example.com/426e8cf7-faab-4141-87ad-8e30eb54ad6d' because it violates the following Content Security Policy directive: "img-src 'self', 'https', data:".

The warning can be fixed by adding :blob to the policy,

   policy.img_src :self, :https, :data, :blob

but that makes things less secure.

It would be nice, if we could tie blob to a URI, for example "blob:http://example.com" but that is not (yet) supported by the CSP standard.

Things still seem to work as expected even when warnings are show, and the images get uploaded.