diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 462fa26448..c7e2ca828f 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -4,7 +4,7 @@
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-if Rails.env.production?
+unless Rails.env.development?
   assets_host = Rails.configuration.action_controller.asset_host || "https://#{ENV['WEB_DOMAIN'] || ENV['LOCAL_DOMAIN']}"
   data_hosts = [assets_host]
 
diff --git a/spec/requests/content_security_policy_spec.rb b/spec/requests/content_security_policy_spec.rb
index 7eb27d61d6..d327ac1b45 100644
--- a/spec/requests/content_security_policy_spec.rb
+++ b/spec/requests/content_security_policy_spec.rb
@@ -12,15 +12,15 @@ describe 'Content-Security-Policy' do
       "default-src 'none'",
       "frame-ancestors 'none'",
       "font-src 'self' https://cb6e6126.ngrok.io",
-      "img-src 'self' https: data: blob: https://cb6e6126.ngrok.io",
+      "img-src 'self' data: blob: https://cb6e6126.ngrok.io",
       "style-src 'self' https://cb6e6126.ngrok.io 'nonce-ZbA+JmE7+bK8F5qvADZHuQ=='",
-      "media-src 'self' https: data: https://cb6e6126.ngrok.io",
+      "media-src 'self' data: https://cb6e6126.ngrok.io",
       "frame-src 'self' https:",
       "manifest-src 'self' https://cb6e6126.ngrok.io",
       "form-action 'self'",
       "child-src 'self' blob: https://cb6e6126.ngrok.io",
       "worker-src 'self' blob: https://cb6e6126.ngrok.io",
-      "connect-src 'self' data: blob: https://cb6e6126.ngrok.io https://cb6e6126.ngrok.io ws://localhost:4000",
+      "connect-src 'self' blob: data: ws://localhost:4000 https://cb6e6126.ngrok.io",
       "script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval'"
     )
   end