Content Security Policy?

I recently did a check with Webbkoll and it showed me the following Content Security Policy header:

default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-xxx';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';worker-src 'self' blob:

However, in my nginx vHost configuration I didn’t set a CSP.
I wanted to treat this topic today, but then I found this. xD

Where does this CSP come from? Where can if modify it, if needed?

I wanted to disallow the Nextcloud News App + Bookmarks App to load images from 3rd party sites.
(In general I want to most restrictive CSP as possible)

img-src 'self' data: blob:

I don’t know exactly what “data” and “blob” means?
How should I modify it to achieve the above?

I hope someone can clarify this.

edit: Another question but regarding the same topic:
I’ve set the

add_header X-Frame-Options deny always;

header, but now the admin panel shows a warning that is is not set to “SAMEORIGIN”.
However, deny should be more secure than sameorigin, right?

It shouldn’t be necessary to change the CSP as at least the bookmarks app previews are fetched and delivered by your nextcloud server.

Regarding the frame options, deny will disable even frames from nextcloud, which is probably why it’s complaining.

Interesting we asked the same thing. Have a look at Content Security Policy Config

Seems it can’t be turned off?