b39e3594d5
Federated matrix.org users load avatars/images from their own media endpoint (matrix-client.matrix.org), which img-src still blocked — so every avatar tripped a CSP violation. Add https://matrix.org + https://*.matrix.org to img-src to match connect-src. (media-src already allows https: so video/audio were fine.) Applied live to LXC 106 and synced here. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>