diff --git a/lib/defaults.js b/lib/defaults.js
index 3f1ac0bda..abc6c58c6 100644
--- a/lib/defaults.js
+++ b/lib/defaults.js
@@ -18,7 +18,7 @@ Default.commonCSP = function (domain, sandbox) {
          */
         "child-src 'self' blob: " + domain + sandbox,
         // IE/Edge
-        `frame-src 'self' blob:${sandbox}/* blob:${domain}/* ${domain} ${sandbox}`,
+        "'frame-src 'self' blob: " + sandbox,
 
         /*  this allows connections over secure or insecure websockets
             if you are deploying to production, you'll probably want to remove