diff --git a/app/extensions.js b/app/extensions.js
index 2019b1af02f..13536f1f939 100644
--- a/app/extensions.js
+++ b/app/extensions.js
@@ -172,22 +172,23 @@ let generateTorrentManifest = () => {
   let cspDirectives = {
     'default-src': '\'self\'',
     // TODO(bridiver) - remove example.com when webtorrent no longer requires it
+    //                  (i.e. once Brave uses webpack v2)
     'connect-src': '\'self\' https://example.com',
     'media-src': '\'self\' http://localhost:*',
     'form-action': '\'none\'',
     'referrer': 'no-referrer',
     'style-src': '\'self\' \'unsafe-inline\'',
-    'frame-src': '\'self\''
+    'frame-src': '\'self\' http://localhost:*'
   }
 
   if (process.env.NODE_ENV === 'development') {
     // allow access to webpack dev server resources
     let devServer = 'localhost:' + process.env.npm_package_config_port
-    cspDirectives['default-src'] = '\'self\' http://' + devServer
+    cspDirectives['default-src'] += ' http://' + devServer
     cspDirectives['connect-src'] += ' http://' + devServer + ' ws://' + devServer
-    cspDirectives['media-src'] = '\'self\' http://localhost:* http://' + devServer
-    cspDirectives['frame-src'] = '\'self\' http://' + devServer
-    cspDirectives['style-src'] = '\'self\' \'unsafe-inline\' http://' + devServer
+    cspDirectives['media-src'] += ' http://' + devServer
+    cspDirectives['frame-src'] += ' http://' + devServer
+    cspDirectives['style-src'] += ' http://' + devServer
   }
 
   return {