diff --git a/qt/aqt/mediasrv.py b/qt/aqt/mediasrv.py
index 3acfe96c3..f086ae515 100644
--- a/qt/aqt/mediasrv.py
+++ b/qt/aqt/mediasrv.py
@@ -750,8 +750,12 @@ def legacy_page_data() -> Response:
         # have access to our internal API, and is a security risk.
         if page.context == PageContext.EDITOR:
             port = aqt.mw.mediaServer.getPort()
+            csp_paths = (
+                f"http://127.0.0.1:{port}/_anki/",
+                f"http://127.0.0.1:{port}/_addons/",
+            )
             response.headers["Content-Security-Policy"] = (
-                f"script-src http://127.0.0.1:{port}/_anki/"
+                f"script-src {' '.join(csp_paths)}"
             )
         return response
     else: