Content Security Policy on security.alternate-file-domain

I got a fresh Phabricator from Git; then I switched the CDN domain to another one (example.com) is where Phab is hosted; example.io is what I configured as the CDN one.

The docs in one place show setting as “hostname.com” but in another it shows using a value liek “https://example.com/” and – I tried both; hostname only throws loads of errors; a URL makes less errors – still gets this one:

But now, Chrome Console barfs this:

Refused to load the image 'https://example.com/file/data/k5yzdflugespp2okj2c5/PHID-FILE-asmuu4gq3ln3tiktmawt/3d8465-alphanumeric_lato-white_R.png-0%2C0%2C0%2C0.3.png'
 because it violates the following Content Security Policy directive: "img-src https://example.io data:".