diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
index ddd82426d2..430ff0f0ed 100755
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@@ -601,6 +601,13 @@ def prepare(self):
 class AuthenticatedFileHandler(IPythonHandler, web.StaticFileHandler):
     """static files should only be accessible when logged in"""
 
+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(AuthenticatedFileHandler, self).content_security_policy + \
+                "; sandbox allow-scripts"
+
     @web.authenticated
     def get(self, path):
         if os.path.splitext(path)[1] == '.ipynb' or self.get_argument("download", False):
diff --git a/notebook/files/handlers.py b/notebook/files/handlers.py
index b942149844..7973fd6914 100644
--- a/notebook/files/handlers.py
+++ b/notebook/files/handlers.py
@@ -26,6 +26,13 @@ class FilesHandler(IPythonHandler):
     a subclass of StaticFileHandler.
     """
 
+    @property
+    def content_security_policy(self):
+        # In case we're serving HTML/SVG, confine any Javascript to a unique
+        # origin so it can't interact with the notebook server.
+        return super(FilesHandler, self).content_security_policy + \
+               "; sandbox allow-scripts"
+
     @web.authenticated
     def head(self, path):
         self.get(path, include_body=False)