From ee1cf6596b1e41c82725aedc2efdf774de23b715 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sascha=20I=C3=9Fbr=C3=BCcker?=
 <sascha.issbruecker@googlemail.com>
Date: Tue, 30 Dec 2025 11:34:04 +0100
Subject: [PATCH] Allow sandboxes scripts when viewing assets (#1252)

---
 bookmarks/tests/test_bookmark_asset_view.py | 4 ++--
 bookmarks/views/assets.py                   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bookmarks/tests/test_bookmark_asset_view.py b/bookmarks/tests/test_bookmark_asset_view.py
index ccdaeb9..f65937d 100644
--- a/bookmarks/tests/test_bookmark_asset_view.py
+++ b/bookmarks/tests/test_bookmark_asset_view.py
@@ -151,7 +151,7 @@ class BookmarkAssetViewTestCase(TestCase, BookmarkFactoryMixin):
             response["Content-Disposition"],
             f'inline; filename="{asset.display_name}.html"',
         )
-        self.assertEqual(response["Content-Security-Policy"], "sandbox")
+        self.assertEqual(response["Content-Security-Policy"], "sandbox allow-scripts")
 
     def test_uploaded_file_download_headers(self):
         bookmark = self.setup_bookmark()
@@ -163,4 +163,4 @@ class BookmarkAssetViewTestCase(TestCase, BookmarkFactoryMixin):
             response["Content-Disposition"],
             f'inline; filename="{asset.display_name}"',
         )
-        self.assertEqual(response["Content-Security-Policy"], "sandbox")
+        self.assertEqual(response["Content-Security-Policy"], "sandbox allow-scripts")
diff --git a/bookmarks/views/assets.py b/bookmarks/views/assets.py
index 65eef97..89ff1c6 100644
--- a/bookmarks/views/assets.py
+++ b/bookmarks/views/assets.py
@@ -33,7 +33,7 @@ def view(request, asset_id: int):
 
     response = HttpResponse(content, content_type=asset.content_type)
     response["Content-Disposition"] = f'inline; filename="{asset.download_name}"'
-    response["Content-Security-Policy"] = "sandbox"
+    response["Content-Security-Policy"] = "sandbox allow-scripts"
     return response