I'd like to allow scripts only from my local server with certain exceptions like jQuery etc., but be flexible to load external images. I'm aware that there is a directive like

Content-Security-Policy: script-src 'self' https://apis.google.com; img-src 'self' https://www.flickr.com;

to allow images from both, my own webserver and Flickr, but is it possible to allow images from all sources - or would this violate the whole concept of CSP and thus be impossible? I'm maintaining a blog often requiring to embed external images, so it basically comes up to a decision on whether it makes sense and is manageable to add CSP to my website or not.

Including images from all sources is a mostly safe practice in terms of security, but you may not like the content of the images that can be used.

To allow all images, use:

img-src * data:;

It's probably reasonable to limit this to https: sources so your users don't get a mixed content (broken lock) error:

img-src https: data:;

In either case, be sure to send X-Content-Type-Options: nosniff" to prevent content type sniffing that happens in Chrome/IE. I'm not sure if firefox will treat an image tag that points to a javascript file will treat that as Javascript due to sniffing, but your script-src should prevent that from being terrible. I'm not sure if apis.google.com hosts user scripts or if it's limited to typical open source libraries.

In my case, I wanted to include thumbnails to show when I upload an image. You add this on your Content Security Policy meta tag.

img-src * blob: data:;