Allow resources using the data: scheme, which embeds content directly in HTML using base64 encoding.

This is commonly needed for the img-src directive when plugins or scripts generate inline images. For example, charts, graphs, or icons that are dynamically generated as data URIs.

Allowing data: for script-src can be unsafe, as it may allow inline scripts to bypass Content Security Policy protections.