A Content Security Policy is a set of directives that control what is displayed in a client's browser. Each browser type and version obeys as much of the Content Security Policy as matches its abilities. If there is a directive that the browser does not understand, it ignores the directive.
You can select an existing Content Security Policy from the options provided, or create a new one by clicking the icon to the right of the field.
In the ContentSecurityPolicy rule you can define or config your policy for image from external URL under the Image soruce option. You can specify allowed websites in this form.
Coming to the security config., you can set the mode to one of two options for what the system does when a policy is violated:
Reject and Report – Enforce the policy (if the content source is not in the correct list, it is not used) and report the violation.
Report Only – Report the violation, but do not enforce the policy.