What is best practice to edit the CSP

Hello,

following question: what is best practice to customize the CSP?
I could well imagine that changes I make in core/View/SecurityPolicy.php might be overwritten again during updates. Or is that not the case?

Currently I have a CSP rule violation for img-src:
“[Report Only] Refused to load the image ‘https://plugins.matomo.org/ActivityLog/images/…’ because it violates the following Content Security Policy directive: “img-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ data:”.”

Sure- because https://plugins.matomo.org is not listed in the CSP.

What is the best solution here to resolve this conflict permanently?