XWiki can and totally should send a (configurable) CSP header, and we could say that this issue is about this fact. It's just that the behavior that is described in the issue isn't due to XWiki, as XWiki currently doesn't send any CSP header.
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6)
If image attachments aren't displayed, see this article.
