diff --git a/app/controllers/feedbacks_controller.rb b/app/controllers/feedbacks_controller.rb
index a2cb05ed3c..f445dcbacf 100644
--- a/app/controllers/feedbacks_controller.rb
+++ b/app/controllers/feedbacks_controller.rb
@@ -9,6 +9,11 @@ class FeedbacksController < ApplicationController
 
   has_scope :by_status, as: 'status'
 
+  content_security_policy only: %i[show] do |policy|
+    # allow sandboxed description
+    policy.frame_src -> { [sandbox_url] }
+  end
+
   def show
     @crumbs = [
       [@feedback.evaluation.series.course.name, course_url(@feedback.evaluation.series.course)],
diff --git a/app/controllers/submissions_controller.rb b/app/controllers/submissions_controller.rb
index 7cb5c82657..1ee113dfbe 100644
--- a/app/controllers/submissions_controller.rb
+++ b/app/controllers/submissions_controller.rb
@@ -25,6 +25,11 @@ class SubmissionsController < ApplicationController
 
   order_by :user, :exercise, :created_at, :status
 
+  content_security_policy only: %i[show] do |policy|
+    # allow sandboxed description
+    policy.frame_src -> { [sandbox_url] }
+  end
+
   def index
     authorize Submission
     @submissions = @submissions.includes(:annotations).paginate(page: parse_pagination_param(params[:page]))