diff --git a/core/core.js b/core/core.js
index cec9a20d..d95779e6 100644
--- a/core/core.js
+++ b/core/core.js
@@ -16,13 +16,6 @@ const k_mime_types = {
 	'svg': 'image/svg+xml',
 };
 
-const k_mime_type_is_trusted = {
-	'application/json': true,
-	'text/css': true,
-	'text/javascript': true,
-	'text/json': true,
-};
-
 const k_magic_bytes = [
 	{bytes: [0xff, 0xd8, 0xff, 0xdb], type: 'image/jpeg'},
 	{bytes: [0xff, 0xd8, 0xff, 0xe0, 0x00, 0x10, 0x4a, 0x46, 0x49, 0x46, 0x00, 0x01], type: 'image/jpeg'},
@@ -573,13 +566,6 @@ function guessTypeFromMagicBytes(data) {
 	}
 }
 
-function guessTypeUntrusted(path, data) {
-	let type = guessTypeFromMagicBytes(data) || guessTypeFromName(path);
-	if (k_mime_type_is_trusted[type]) {
-		return type;
-	}
-}
-
 function sendData(response, data, type, headers) {
 	if (data) {
 		response.writeHead(200, Object.assign({"Content-Type": type || guessTypeFromMagicBytes(data) || "application/binary", "Content-Length": data.byteLength}, headers || {}));
@@ -742,44 +728,38 @@ async function blobHandler(request, response, blobId, uri) {
 		response.end('OK');
 	} else {
 		let data;
-		let type;
-		let headers;
 		let match;
+		let id;
 		if (match = /^\/\~(\w+)\/(\w+)$/.exec(blobId)) {
 			let db = new Database(match[1]);
-			let id = await db.get('path:' + match[2]);
-			if (id) {
-				if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') {
-					headers = {
-						'Access-Control-Allow-Origin': '*',
-					};
-					response.writeHead(304, headers);
-					response.end();
-				} else {
-					data = utf8Decode(await getBlobOrContent(id));
-					let appObject = JSON.parse(data);
-					data = appObject.files[uri.substring(1)];
-					data = await getBlobOrContent(data);
-					type = guessTypeUntrusted(uri, data);
-					headers = {
-						'ETag': '"' + id + '"',
-						'Access-Control-Allow-Origin': '*',
-					};
-					sendData(response, data, type, headers);
-				}
+			let app_id = await db.get('path:' + match[2]);
+			let app_object = JSON.parse(utf8Decode(await getBlobOrContent(app_id)));
+			id = app_object.files[uri.substring(1)];
+		} else {
+			let app_object = JSON.parse(utf8Decode(await getBlobOrContent(blobId)));
+			id = app_object.files[uri.substring(1)];
+		}
+
+		if (id) {
+			if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') {
+				let headers = {
+					'Access-Control-Allow-Origin': '*',
+					'Content-Security-Policy': 'sandbox',
+				};
+				response.writeHead(304, headers);
+				response.end();
 			} else {
+				let headers = {
+					'ETag': '"' + id + '"',
+					'Access-Control-Allow-Origin': '*',
+					'Content-Security-Policy': 'sandbox',
+				};
+				data = await getBlobOrContent(id);
+				let type = guessTypeFromName(uri) || guessTypeFromMagicBytes(data);
 				sendData(response, data, type, headers);
 			}
 		} else {
-			data = utf8Decode(await getBlobOrContent(blobId));
-			let appObject = JSON.parse(data);
-			data = appObject.files[uri.substring(1)];
-			data = await getBlobOrContent(data);
-			headers = {
-				'Access-Control-Allow-Origin': '*',
-			};
-			type = guessTypeUntrusted(uri, data);
-			sendData(response, data, type, headers);
+			sendData(response, data, type, {});
 		}
 	}
 }