diff --git a/lib/defaults.js b/lib/defaults.js
index abc6c58c6..b4f643006 100644
--- a/lib/defaults.js
+++ b/lib/defaults.js
@@ -18,7 +18,7 @@ Default.commonCSP = function (domain, sandbox) {
          */
         "child-src 'self' blob: " + domain + sandbox,
         // IE/Edge
-        "'frame-src 'self' blob: " + sandbox,
+        "frame-src 'self' blob: " + sandbox,
 
         /*  this allows connections over secure or insecure websockets
             if you are deploying to production, you'll probably want to remove