diff --git a/CHANGELOG.md b/CHANGELOG.md
index 09b5a2ac8..6e1e87d80 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -47,6 +47,8 @@
 
 ### Bugfixes
 - アップロードエラー時の処理を修正
+- Add `img-src` and `media-src` directives to `Content-Security-Policy` for
+  files and media proxy
 
 ## 12.101.1 (2021/12/29)
 
diff --git a/packages/backend/src/server/file/index.ts b/packages/backend/src/server/file/index.ts
index a455acd1c..6fe6110dc 100644
--- a/packages/backend/src/server/file/index.ts
+++ b/packages/backend/src/server/file/index.ts
@@ -18,7 +18,7 @@ const _dirname = dirname(_filename);
 const app = new Koa();
 app.use(cors());
 app.use(async (ctx, next) => {
-	ctx.set('Content-Security-Policy', `default-src 'none'; style-src 'unsafe-inline'`);
+	ctx.set('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
 	await next();
 });
 
diff --git a/packages/backend/src/server/proxy/index.ts b/packages/backend/src/server/proxy/index.ts
index b8993f19f..7a3094311 100644
--- a/packages/backend/src/server/proxy/index.ts
+++ b/packages/backend/src/server/proxy/index.ts
@@ -11,7 +11,7 @@ import { proxyMedia } from './proxy-media';
 const app = new Koa();
 app.use(cors());
 app.use(async (ctx, next) => {
-	ctx.set('Content-Security-Policy', `default-src 'none'; style-src 'unsafe-inline'`);
+	ctx.set('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
 	await next();
 });