diff --git a/data/etc/apache2/conf-available/freedombox.conf b/data/etc/apache2/conf-available/freedombox.conf
index 95023151d..48fc827e3 100644
--- a/data/etc/apache2/conf-available/freedombox.conf
+++ b/data/etc/apache2/conf-available/freedombox.conf
@@ -72,15 +72,18 @@ RedirectMatch "^/$" "/plinth"
 ## Enable strict sandboxing enabled with some exceptions:
 ## - Allow running Javascript.
 ## - Allow popups as sometimes we use <a target=_blank>
+## - Allow popups to have different sandbox requirements as we launch apps' web
+##   clients.
 ## - Allow forms to support configuration forms.
-## -
+## - Allow policies to treat same origin differently from other origins
+## - Allow downloads such as backup tarballs.
 ##
 ## Disable browser guessing of MIME types. FreedoBox already sets good content
 ## types for all the common file types.
 ##
 <LocationMatch "^/(plinth|freedombox)">
     Header set Referrer-Policy 'same-origin'
-    Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
+    Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-popups-to-escape-sandbox allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
     Header set X-Content-Type-Options 'nosniff'
 </LocationMatch>