diff --git a/src/Controller/AttachmentFileController.php b/src/Controller/AttachmentFileController.php
index 278bcf6e..bc16b7dc 100644
--- a/src/Controller/AttachmentFileController.php
+++ b/src/Controller/AttachmentFileController.php
@@ -69,7 +69,7 @@ class AttachmentFileController extends AbstractController
 
         //Set an CSP that allows to run inline scripts, styles and images from external ressources, but does not allow any connections or others.
         //Also set the sandbox CSP directive with only "allow-script" to run basic scripts
-        $response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; img-src data:; sandbox allow-scripts;");
+        $response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; img-src data:; sandbox allow-scripts allow-downloads allow-modals;");
 
         //Forbid to embed the attachment render page in an iframe to prevent clickjacking, as it is not used anywhere else for now
         $response->headers->set('X-Frame-Options', 'DENY');
diff --git a/templates/attachments/html_sandbox.html.twig b/templates/attachments/html_sandbox.html.twig
index 11367bdf..389ebc2e 100644
--- a/templates/attachments/html_sandbox.html.twig
+++ b/templates/attachments/html_sandbox.html.twig
@@ -65,7 +65,7 @@
 
         <iframe  referrerpolicy="no-referrer" class="content-frame"
                  {# When changing this sandbox, also change the sandbox CSP in the controller #}
-                 sandbox="allow-scripts"
+                 sandbox="allow-scripts allow-downloads allow-modals"
                  srcdoc="{{ content|e('html_attr') }}"
         ></iframe>