update the recommended settings for img-src and media-src

docs/example.nginx.conf

@@ -96,14 +96,14 @@ server {
     set $fontSrc    "'self' data: ${main_domain}";
 
     # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
-    set $imgSrc     "'self' data: * blob: ${main_domain}";
+    set $imgSrc     "'self' data: blob: ${main_domain} ${sandbox_domain}";
 
     # frame-src specifies valid sources for nested browsing contexts.
     # this prevents loading any iframes from anywhere other than the sandbox domain
     set $frameSrc   "'self' ${sandbox_domain} blob:";
 
     # specifies valid sources for loading media using video or audio
-    set $mediaSrc   "'self' data: * blob: ${main_domain}";
+    set $mediaSrc   "'self' data: blob: ${main_domain} ${sandbox_domain}";
 
     # defines valid sources for webworkers and nested browser contexts
     # deprecated in favour of worker-src and frame-src