Images blocked by CSP in Twitch Extensions

pointjkee · November 16, 2025, 12:11pm

Hello,

In the Extension settings there is “Allowlist for URL Fetching Domains.” I added:

GET requests to my API (https://my-api-domain) work fine. However, when the extension frontend tries to load user avatars from the FACEIT CDN, the browser blocks them due to CSP:
Sample errors:

Refused to load the image ‘’ because it violates the following Content Security Policy directive: “img-src ‘self’ data: blob:”.
Refused to load the image ‘https://distribution.faceit-cdn.net/images/360ad66d-b9a0-4d18-8517-058d160ad45b.jpg’ because it violates the following Content Security Policy directive: “img-src ‘self’ https://9j4sphpwffxs9h278xcd8mf4hlkj3s.ext-twitch.tv https://static-cdn.jtvnw.net https://*.google-analytics.com https://www.googletagmanager.com data: blob:”.

Is there a separate allowlist/setting for img-src (and media-src) for Twitch Extensions? If yes, where can I add https://distribution.faceit-cdn.net/images/*?
Do patterns like https://distribution.faceit-cdn.net/images/*.jpg work in the allowlist, or should we specify just the origin like https://distribution.faceit-cdn.net?

Thank you!

BarryCarlyon · November 16, 2025, 12:57pm

You have a sticky/cached CSP, you can see your requiested values are missing, or:

You have added these values to the allow list for fetch instead of Allowlist for Image Domains

So your list needs to be in the top section

Top: images/css background

Middle: video

Bottom: fetch/api

pointjkee · November 16, 2025, 1:10pm

Thank you, and sorry for my oversight. However, the issue still persists:

Refused to load the image ‘https://distribution.faceit-cdn.net/images/4c0783eb-4e1c-4548-8ded-9067e13e9e81.jpeg’ because it violates the following Content Security Policy directive: “img-src ‘self’ https://9j4sphpwffxs9h278xcd8mf4hlkj3s.ext-twitch.tv https://static-cdn.jtvnw.net https://distribution.faceit-cdn.net/images/*.jpeg https://distribution.faceit-cdn.net/images/*.jpg https://*.google-analytics.com https://www.googletagmanager.com data: blob:”.

Could you clarify whether path wildcards like https://distribution.faceit-cdn.net/images/*.jpeg are supported in img-src, or do we have to add only the origin — https://distribution.faceit-cdn.net?

BarryCarlyon · November 16, 2025, 1:17pm

Any valid CSP as per the CSP specification should suffice, specifc or generic, as long as compliant with the CSP specification

Off hand I don’t recall the specifics of the specification, but I have some wildcard’ed csp’s in production (twitch or otherwise) (granted just wildcard’ed subdomains rather than a specific pathed one)

Normally I’d throw the test URL at security headers to test I just don’t have yours

Edit:

suggests that you can’t use a wildcard where you did, as wildcards only apply to domain not paths

https://distribution.faceit-cdn.net/images/

Topic		Replies	Views
Cross origin problem with Twitch CDN images API	4	1039	March 18, 2017
Same origin please Extensions	1	413	May 1, 2019
Not see hosted assets on stream Extensions	11	2175	August 16, 2018
CSP Blocking External Links in Mobile Webview Extensions	13	1473	March 19, 2021
Content Security Policy and sources Extensions	2	654	January 28, 2019

Images blocked by CSP in Twitch Extensions

Related topics