diff --git a/src/server/internalServer.cpp b/src/server/internalServer.cpp
index 52f32be76..67ddb987d 100644
--- a/src/server/internalServer.cpp
+++ b/src/server/internalServer.cpp
@@ -1123,6 +1123,29 @@ ParameterizedMessage suggestSearchMsg(const std::string& searchURL, const std::s
                               });
 }
 
+///////////////////////////////////////////////////////////////////////////////
+// The content security policy below is set on responses to the /content
+// endpoint in order to prevent the ZIM content from interfering with the
+// viewer (e.g. breaking out of the viewer iframe by performing top-level
+// navigation).
+const std::string CONTENT_CSP_HEADER =
+    "default-src 'self' "
+                "data: "
+                "blob: "
+                "about: "
+                "'unsafe-inline' "
+                "'unsafe-eval'; "
+
+    "sandbox allow-scripts "
+            "allow-same-origin "
+            "allow-modals "
+            "allow-popups "
+            "allow-forms "
+            "allow-downloads;";
+
+// End of content security policy
+///////////////////////////////////////////////////////////////////////////////
+
 } // unnamed namespace
 
 std::unique_ptr<Response>
@@ -1184,6 +1207,13 @@ std::unique_ptr<Response> InternalServer::handle_content(const RequestContext& r
     auto response = ItemResponse::build(*this, request, entry.getItem());
     response->set_etag_body(archiveUuid);
 
+    if ( !startsWith(entry.getItem().getMimetype(), "application/pdf") ) {
+      // NOTE: Content security policy is not applied to PDF content so that
+      // NOTE: it can be displayed in the viewer in Chromium-based browsers.
+      response->add_header("Content-Security-Policy", CONTENT_CSP_HEADER);
+      response->add_header("Referrer-Policy", "no-referrer");
+    }
+
     if (m_verbose.load()) {
       printf("Found %s\n", entry.getPath().c_str());
       printf("mimeType: %s\n", entry.getItem(true).getMimetype().c_str());
diff --git a/src/server/response.cpp b/src/server/response.cpp
index 6b4b9fcfc..db20a2fb4 100644
--- a/src/server/response.cpp
+++ b/src/server/response.cpp
@@ -412,12 +412,6 @@ ContentResponse::ContentResponse(const std::string& root, bool verbose, const st
   m_mimeType(mimetype)
 {
   add_header(MHD_HTTP_HEADER_CONTENT_TYPE, m_mimeType);
-  if ( !startsWith(m_mimeType, "application/pdf") ) {
-    add_header("Content-Security-Policy",
-               "default-src 'self' data: blob: about: chrome-extension: 'unsafe-inline' 'unsafe-eval'; "
-               "sandbox allow-scripts allow-same-origin allow-modals allow-popups allow-forms allow-downloads;");
-    add_header("Referrer-Policy", "no-referrer");
-  }
 }
 
 std::unique_ptr<ContentResponse> ContentResponse::build(
diff --git a/static/viewer.html b/static/viewer.html
index b9499fc54..fc49f6ac7 100644
--- a/static/viewer.html
+++ b/static/viewer.html
@@ -4,7 +4,7 @@
     <meta charset="UTF-8">
     <meta http-equiv="Content-Security-Policy"
           content="default-src 'self' data: 'unsafe-inline' 'unsafe-eval';
-                   frame-src 'self' moz-extension: chrome-extension:;
+                   frame-src 'self';
                    object-src 'none';">
     <title>ZIM Viewer</title>
     <meta name="viewport" content="width=device-width, initial-scale=1.0">