Fetching the user initials Avatar and CORS

Hi, what is the correct way to render these avatar images?

Using <img src={avatarUrls[‘48x48’}/> results in errors related to CORS:

I added some rules in the manifest, but it doesn’t work:

The avatars in question are what jira uses per default as the user’s initials:

There is no problem getting avatars where users actually upload a picture. Any help?

One possible workaround is to add *.wp.com in the permissions.external.images as you do for gravatar. By the way, would be great if Forge handle this internally.