diff --git a/adminer/include/design.inc.php b/adminer/include/design.inc.php
index 076ca051..87a8914d 100644
--- a/adminer/include/design.inc.php
+++ b/adminer/include/design.inc.php
@@ -109,12 +109,12 @@ function page_headers() {
 function csp() {
 	return array(
 		array(
-			"default-src" => "'none'",
 			"script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
 			"style-src" => "'self' 'unsafe-inline'",
 			"connect-src" => "'self'",
-			"img-src" => "'self' data:",
 			"frame-src" => "https://www.adminer.org",
+			"object-src" => "'none'",
+			"base-uri" => "'none'",
 			"form-action" => "'self'",
 		),
 	);
diff --git a/changes.txt b/changes.txt
index 9a23ce7c..7ac3935c 100644
--- a/changes.txt
+++ b/changes.txt
@@ -1,5 +1,6 @@
 Adminer 4.4.1-dev:
 Adminer: Fix Search data in tables (regression from 4.4.0)
+CSP: Allow any images, media and fonts, disallow base-uri
 
 Adminer 4.4.0 (released 2018-01-17):
 Add Content Security Policy