In Qlik Saas, when adding an image <URL> https://play-lh.googleusercontent.com/ahJtMe0vfOlAu1XJVQ6rcaGrQBgtrEZQefHy7SXB7jpijKhu1Kkox90XDuH8Rm... as a column to a table, we expected this to fail because it should require "img-src" directive to be checked in "Content Security Policy".

However, the logo with image <url> above is displayed correctly (see logo dispayed as Dim1 column in below screenshot ).

Adding a new column 'Alpha' with image <url> https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTaANtept27EFdcIQ62k2W2VCkpXSq0iDxT4w&usqp=CAU does not display the expected image.
Environment
Resolution
From a close look to console tab (of dev-tool), we noticed that some image <urls> are recognized by default (see above attached screenshot). They do not require the use of directive "img-src ".
Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src 'self' data: maps.qlikcloud.com ibasemaps-api.arcgis.com cdn.pendo.io app.pendo.io pendo-static-5763789454311424.storage.googleapis.com data.pendo.io *.gravatar.com *.wp.com *.googleusercontent.com cdn.qlik-stage.com cdn.qlikcloud.com upload.wikimedia.org".
A documentation request HLP-13324 was submitted to R&D .
Cause
Product Defect ID: HLP-13324