OK OP here, I think I didn't fuck up, I think some admin did.
When you were inserting script-src for the content security policy, you specified ONLY self, and didn't specify whatever third party the image is coming from.
Therefore my browser is blocking the script, while proxies, which don't care about script-src, aren't blocking it.
>[16:21:39.817] Content Security Policy: The page's settings blocked the loading of a resource at data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgA……………….
This is going to piss off a few people.
>>47049
Sadly that doesn't work for me.