TinyMCE causing images to not load in CMS admin

We have installed the TinyMCE plugin that replaces the markdown Rich Text editor. It appears to be working as an editor however it’s caused all uploaded images in the CMS admin to not load.

this is the following error message:

Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' *.tinymce.com *.tiny.cloud data: blob: dl.airtable.com strapi.io s3.amazonaws.com cdn.jsdelivr.net luminous-treasure-xxx.strapiapp.com"

And here is our middlewares.js file:

module.exports = [ "strapi::logger", "strapi::errors", "strapi::cors", "strapi::poweredBy", "strapi::query", "strapi::body", "strapi::session", "strapi::favicon", "strapi::public", { name: "strapi::security", config: { contentSecurityPolicy: { useDefaults: true, directives: { "script-src": ["'self'", "*.tinymce.com", "*.tiny.cloud", "https:"], "connect-src": [ "'self'", "*.tinymce.com", "*.tiny.cloud", "blob:", "*.strapi.io", ], "img-src": [ "'self'", "*.tinymce.com", "*.tiny.cloud", "data:", "blob:", "dl.airtable.com", "strapi.io", "s3.amazonaws.com", "cdn.jsdelivr.net", "luminous-treasure-xxx.strapiapp.com", "localhost:1337", ], "style-src": [ "'self'", "'unsafe-inline'", "*.tinymce.com", "*.tiny.cloud", ], "font-src": ["'self'", "*.tinymce.com", "*.tiny.cloud"], }, upgradeInsecureRequests: null, }, }, }, ];

We’ve added the domains we thought would be required but with no luck.

Any pointers would be much appreciated


This topic has been created from a Discord post (1219978631141658624) to give it more visibility.
It will be on Read-Only mode here.
Join the conversation on Discord

I’ve sorted this out now. For those searching in the future, I did the following:

  • Check the exact URL of the aset that is not loading - thought I had the correct URL but on closer inspection I noticed that there was a “media” rout in the URL, so I added that, as well as the market-assets for strapi.

Additional changes were made to contentSecurityPolicy → img-src:


<@402911159067344896> thank you for posting the update.