diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php
index 41e3b0c7..d44ed9a0 100644
--- a/lib/AppInfo/Application.php
+++ b/lib/AppInfo/Application.php
@@ -14,6 +14,7 @@ namespace OCA\Cospend\AppInfo;
 use OCA\Cospend\Capabilities;
 use OCA\Cospend\Dashboard\CospendWidget;
 use OCA\Cospend\Federation\CloudFederationProviderCospend;
+use OCA\Cospend\Listener\CSPListener;
 use OCA\Cospend\Middleware\FederationMiddleware;
 use OCA\Cospend\Middleware\PublicAuthMiddleware;
 use OCA\Cospend\Middleware\UserPermissionMiddleware;
@@ -28,6 +29,7 @@ use OCP\AppFramework\Bootstrap\IRegistrationContext;
 use OCP\Federation\ICloudFederationProvider;
 use OCP\Federation\ICloudFederationProviderManager;
 use OCP\IConfig;
+use OCP\Security\CSP\AddContentSecurityPolicyEvent;
 use OCP\Server;
 use OCP\Util;
 
@@ -117,6 +119,7 @@ class Application extends App implements IBootstrap {
 		$context->registerMiddleware(FederationMiddleware::class);
 
 		$context->registerCapability(Capabilities::class);
+		$context->registerEventListener(AddContentSecurityPolicyEvent::class, CSPListener::class);
 	}
 
 	public function boot(IBootContext $context): void {
diff --git a/lib/Listener/CSPListener.php b/lib/Listener/CSPListener.php
new file mode 100644
index 00000000..2c72f36b
--- /dev/null
+++ b/lib/Listener/CSPListener.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace OCA\Cospend\Listener;
+
+use OCP\AppFramework\Http\ContentSecurityPolicy;
+use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\IEventListener;
+use OCP\Security\CSP\AddContentSecurityPolicyEvent;
+
+/**
+ * @template-implements IEventListener<AddContentSecurityPolicyEvent>
+ */
+class CSPListener implements IEventListener {
+
+	public function __construct(
+	) {
+	}
+
+	public function handle(Event $event): void {
+		if (!($event instanceof AddContentSecurityPolicyEvent)) {
+			return;
+		}
+
+		$csp = new ContentSecurityPolicy();
+		$csp->addAllowedWorkerSrcDomain('blob:');
+		$event->addPolicy($csp);
+	}
+}