diff --git a/cps/web.py b/cps/web.py
index 03a00673..bf366f24 100644
--- a/cps/web.py
+++ b/cps/web.py
@@ -95,10 +95,10 @@ def add_security_headers(resp):
     if request.endpoint == "edit-book.show_edit_book" or config.config_use_google_drive:
         csp += " *;"
     elif request.endpoint == "web.read_book":
-        csp += " style-src-elem 'self' blob: 'unsafe-inline';"
+        csp += " blob:; style-src-elem 'self' blob: 'unsafe-inline';"
     else:
         csp += ";"
-    csp += "object-src: 'none';"
+    csp += " object-src 'none';"
     resp.headers['Content-Security-Policy'] = csp
     resp.headers['X-Content-Type-Options'] = 'nosniff'
     resp.headers['X-Frame-Options'] = 'SAMEORIGIN'