diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 2cfbb13a..d5e16f00 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -60,6 +60,7 @@ Rails.application.configure do
     # Currently, these include turbolinks, and vis.js.
     policy.style_src_elem       :self, :unsafe_inline, :report_sample
     # We still use some inline styles within the application, and indirectly through d3.js.
+    # Further, the ToastUi markdown editor currently requires inline styles, too.
     policy.style_src_attr       :unsafe_inline, :report_sample
     # The `style_src` directive is only a fallback for browsers not supporting `style_src_elem` and `style_src_attr`.
     policy.style_src            :self, :unsafe_inline, :report_sample
diff --git a/config/webpack/webpack.config.js b/config/webpack/webpack.config.js
index a55e3da7..d8a3d04e 100644
--- a/config/webpack/webpack.config.js
+++ b/config/webpack/webpack.config.js
@@ -35,6 +35,16 @@ const envConfig = module.exports = {
                     filename: 'icons/[hash].svg'
                 },
             },
+            // Extract ToastUi's inline PNGs to actual resources, similar to Bootstrap's SVGs.
+            // This removes the requirement for `data:` URLs in our CSP
+            {
+                mimetype: 'image/png',
+                scheme: 'data',
+                type: 'asset/resource',
+                generator: {
+                    filename: 'icons/[hash].png'
+                },
+            },
             erb
         ]
     },