diff --git a/index.html b/index.html
index a077784..f6de57e 100644
--- a/index.html
+++ b/index.html
@@ -2,6 +2,10 @@
 <html lang="en">
   <head>
     <meta charset="UTF-8" />
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; style-src 'unsafe-inline'; img-src *"
+    />
     <title>Renai</title>
   </head>
   <body id="app"></body>
diff --git a/src/main/services/session.ts b/src/main/services/session.ts
index e76886d..3fc450c 100644
--- a/src/main/services/session.ts
+++ b/src/main/services/session.ts
@@ -1,19 +1,18 @@
 import { session } from 'electron';
-import OnResponseStartedDetails = Electron.OnResponseStartedDetails;
+import OnHeadersReceivedDetails = Electron.OnHeadersReceivedDetails;
 
-function initSession(): void {
+function init(): void {
+  // these headers only work on webrequests, file:// protocol is handled via meta tags in index.html
   session.defaultSession.webRequest.onHeadersReceived(
-    (details: OnResponseStartedDetails, callback: (response: any) => void) => {
+    (details: OnHeadersReceivedDetails, callback: (response: {}) => void) => {
       callback({
         responseHeaders: {
           ...details.responseHeaders,
-          'Content-Security-Policy': [
-            "default-src 'self'; style-src 'unsafe-eval' 'unsafe-inline'",
-          ],
+          'Content-Security-Policy': ["default-src 'none'"],
         },
       });
     }
   );
 }
 
-export default { init: initSession };
+export default { init };