diff --git a/app/Factories/ImageFactory.php b/app/Factories/ImageFactory.php
index 51689de852e..21ad02f04fe 100644
--- a/app/Factories/ImageFactory.php
+++ b/app/Factories/ImageFactory.php
@@ -343,10 +343,10 @@ protected function imageResponse(string $data, string $mime_type, string $filena
                 ->withHeader('X-Image-Exception', 'SVG image blocked due to XSS.');
         }
 
-        // HTML files may contain javascript, so use content-security-policy to disable it.
+        // HTML files may contain javascript and iframes, so use content-security-policy to disable them.
         $response = response($data)
             ->withHeader('content-type', $mime_type)
-            ->withHeader('content-security-policy', 'script-src none');
+            ->withHeader('content-security-policy', 'script-src none;frame-src none');
 
         if ($filename === '') {
             return $response;