Content Security Policy on security.alternate-file-domain

I got a fresh Phabricator from Git; then I switched the CDN domain to another one ( is where Phab is hosted; is what I configured as the CDN one.

The docs in one place show setting as “” but in another it shows using a value liek “” and – I tried both; hostname only throws loads of errors; a URL makes less errors – still gets this one:

But now, Chrome Console barfs this:

Refused to load the image ''
 because it violates the following Content Security Policy directive: "img-src data:".