diff --git a/Admin.NET/Admin.NET.Web.Core/Startup.cs b/Admin.NET/Admin.NET.Web.Core/Startup.cs
index d38346b2..e8d250f7 100644
--- a/Admin.NET/Admin.NET.Web.Core/Startup.cs
+++ b/Admin.NET/Admin.NET.Web.Core/Startup.cs
@@ -283,7 +283,7 @@ public class Startup : AppStartup
             // 限制 Flash 和其他插件的跨域访问，防止数据泄露
             context.Response.Headers.Append("X-Permitted-Cross-Domain-Policies", "none");
             // 限制可执行的脚本和样式，降低 XSS 攻击的风险
-            context.Response.Headers.Append("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;");
+            context.Response.Headers.Append("Content-Security-Policy", "style-src 'self' 'unsafe-inline';");
             // 允许浏览器使用地理位置 API，但仅限于当前站点
             context.Response.Headers.Append("Permissions-Policy", "geolocation=(self)");
             // 强制使用 HTTPS，防止中间人攻击
diff --git a/Web/src/components/editor/index.vue b/Web/src/components/editor/index.vue
index 92117bcc..997d3887 100644
--- a/Web/src/components/editor/index.vue
+++ b/Web/src/components/editor/index.vue
@@ -63,7 +63,7 @@ const state = reactive({
 						.apiSysFileUploadFilePostForm(file)
 						.then(({ data }) => {
 							if (data.type == 'success' && data.result) {
-								editorRef.value.insertNode({ type: 'image', src: data.result.url, alt: data.result.fileName, href: data.result.url, children: [{ text: '' }] });
+								editorRef.value.insertNode({ type: 'image', src: '/' + data.result.url, alt: data.result.fileName, href: '/' + data.result.url, children: [{ text: '' }] });
 							} else {
 								ElMessage.error('上传失败！');
 							}