This is the problem that the chrome console shows me.
Refused to load the image ‘https://bucket.s3.amazonaws.com/thumbnail_trogon_03a82adfef.jpeg?width=1200&height=800’ because it violates the following Content Security Policy directive: “img-src ‘self’ data: blob: https://dl.airtable.com”.
Middelware
i get the same error for google cloud storage
delete “strapi:security”
yes, just remove the region from the resource url string you create in the middleware file, your middlewares.js should be like:
module.exports = [
'strapi::errors',
{
name: 'strapi::security',
config: {
contentSecurityPolicy: {
useDefaults: true,
directives: {
'connect-src': ["'self'", 'https:'],
'img-src': [
"'self'",
'data:',
'blob:',
'dl.airtable.com',
'{s3_bucketname}.s3.amazonaws.com',
],
'media-src': [
"'self'",
'data:',
'blob:',
'dl.airtable.com',
'{s3_bucketname}.s3.amazonaws.com',
],
upgradeInsecureRequests: null,
},
},
},
},
'strapi::cors',
'strapi::poweredBy',
'strapi::logger',
'strapi::query',
'strapi::body',
'strapi::session',
'strapi::favicon',
'strapi::public',
];
that solves the problem.
These settings worked for me:
module.exports = ({ env }) => [
"strapi::errors",
{
name: "strapi::security",
config: {
contentSecurityPolicy: {
useDefaults: true,
directives: {
"connect-src": ["'self'", "https:"],
"img-src": [
"'self'",
"data:",
"blob:",
"dl.airtable.com",
`https://s3.${env("AWS_REGION")}.amazonaws.com/${env(
"MEDIA_BUCKET"
)}/`,
],
"media-src": [
"'self'",
"data:",
"blob:",
"dl.airtable.com",
`https://s3.${env("AWS_REGION")}.amazonaws.com/${env(
"MEDIA_BUCKET"
)}/`,
],
upgradeInsecureRequests: null,
},
},
},
},
"strapi::cors",
"strapi::poweredBy",
"strapi::logger",
"strapi::query",
"strapi::body",
"strapi::session",
"strapi::favicon",
"strapi::public",
];
Thanks for sharing, it almost worked for me, I only had to change the AWS url a bit, this is the code that worked for me:
module.exports = ({ env }) => [
"strapi::errors",
{
name: "strapi::security",
config: {
contentSecurityPolicy: {
useDefaults: true,
directives: {
"connect-src": ["'self'", "https:"],
"img-src": [
"'self'",
"data:",
"blob:",
"dl.airtable.com",
`https://${env("AWS_BUCKET")}.s3.${env("AWS_REGION")}.amazonaws.com/`,
],
"media-src": [
"'self'",
"data:",
"blob:",
"dl.airtable.com",
`https://${env("AWS_BUCKET")}.s3.${env("AWS_REGION")}.amazonaws.com/`,
],
upgradeInsecureRequests: null,
},
},
},
},
"strapi::cors",
"strapi::poweredBy",
"strapi::logger",
"strapi::query",
"strapi::body",
"strapi::session",
"strapi::favicon",
"strapi::public",
];
Thanks that worked for me 
Just had to get the s3 URL pattern to match what was being requested… and change the env variable names to match mine.
Also, this is a sidenote… but what does dl.airtable.com have anything to do with aws or strapi? I googled but couldn’t find anything.
Hey,
I had the same issue when uploading a media, everything was fine except the thumbnail in the back-office.
In fact, I just needed to add the CDN URL to the authorized srcs
module.exports = ({ env }) => [
"strapi::errors",
{
name: "strapi::security",
config: {
contentSecurityPolicy: {
useDefaults: true,
directives: {
"connect-src": ["'self'", "https:"],
"img-src": [
"'self'",
"data:",
"blob:",
"dl.airtable.com",
`https://${env("AWS_BUCKET")}.s3.${env("AWS_REGION")}.amazonaws.com/`,
env("CDN_URL"),
],
"media-src": [
"'self'",
"data:",
"blob:",
"dl.airtable.com",
`https://${env("AWS_BUCKET")}.s3.${env("AWS_REGION")}.amazonaws.com/`,
env("CDN_URL"),
],
upgradeInsecureRequests: null,
},
},
},
},
"strapi::cors",
"strapi::poweredBy",
"strapi::logger",
"strapi::query",
"strapi::body",
"strapi::session",
"strapi::favicon",
"strapi::public",
];
Hope it helps you