diff --git a/app/assets/templates/directives/component-view.pug b/app/assets/templates/directives/component-view.pug
index 59a8a388d..610e2ab02 100644
--- a/app/assets/templates/directives/component-view.pug
+++ b/app/assets/templates/directives/component-view.pug
@@ -89,7 +89,7 @@ iframe(
   ng-attr-id='component-iframe-{{ctrl.component.uuid}}', 
   ng-if='ctrl.component && ctrl.componentValid', 
   ng-src='{{ctrl.getUrl() | trusted}}', 
-  sandbox='allow-scripts allow-top-navigation-by-user-activation allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-modals allow-forms'
+  sandbox='allow-scripts allow-top-navigation-by-user-activation allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-modals allow-forms allow-downloads'
   )
   | Loading
 .loading-overlay(ng-if='ctrl.loading')
diff --git a/config/application.rb b/config/application.rb
index 754c27ab6..ebbcc7664 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -43,7 +43,7 @@ module StandardNotes
          base_uri: %w('self'),
          block_all_mixed_content: false, # see http://www.w3.org/TR/mixed-content/
          child_src: ["*", "blob:"],
-         frame_src: ["*", "blob:"],
+         frame_src: ["*", "blob:", "data:"],
          connect_src: ["*"],
          font_src: %w(* 'self'),
          form_action: %w('self'),