diff --git a/core/core.js b/core/core.js
index 78a71de3..90af4b36 100644
--- a/core/core.js
+++ b/core/core.js
@@ -6,6 +6,8 @@ import * as http from './http.js';
 let gProcesses = {};
 let gStatsTimer = false;
 
+const k_content_security_policy = 'sandbox allow-downloads allow-top-navigation-by-user-activation';
+
 const k_mime_types = {
 	'css': 'text/css',
 	'html': 'text/html',
@@ -736,7 +738,7 @@ async function blobHandler(request, response, blobId, uri) {
 		let match;
 		let query = form.decodeForm(request.query);
 		let headers = {
-			'Content-Security-Policy': 'sandbox',
+			'Content-Security-Policy': k_content_security_policy,
 		};
 		if (query.filename && query.filename.match(/^[A-Za-z0-9\.-]*$/)) {
 			headers['Content-Disposition'] = `attachment; filename=${query.filename}`;
@@ -893,13 +895,13 @@ async function blobHandler(request, response, blobId, uri) {
 			}
 			sendData(response, answer?.data, answer?.content_type, Object.assign(answer?.headers ?? {}, {
 				'Access-Control-Allow-Origin': '*',
-				'Content-Security-Policy': 'sandbox',
+				'Content-Security-Policy': k_content_security_policy,
 			}), answer.status_code);
 		} else if (id) {
 			if (request.headers['if-none-match'] && request.headers['if-none-match'] == '"' + id + '"') {
 				let headers = {
 					'Access-Control-Allow-Origin': '*',
-					'Content-Security-Policy': 'sandbox',
+					'Content-Security-Policy': k_content_security_policy,
 					'Content-Length': '0',
 				};
 				response.writeHead(304, headers);
@@ -908,7 +910,7 @@ async function blobHandler(request, response, blobId, uri) {
 				let headers = {
 					'ETag': '"' + id + '"',
 					'Access-Control-Allow-Origin': '*',
-					'Content-Security-Policy': 'sandbox',
+					'Content-Security-Policy': k_content_security_policy,
 				};
 				data = await getBlobOrContent(id);
 				let type = guessTypeFromName(uri) || guessTypeFromMagicBytes(data);