diff --git a/next.config.ts b/next.config.ts
index 00952488..7f85c105 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -53,6 +53,10 @@ const csp = [
   "img-src 'self' data: blob: https:",
   "font-src 'self' data:",
   `connect-src 'self' ws: wss: https:${devConnectHosts}`,
+  // PDF previews iframe a presigned storage URL; embedded-signing iframes the
+  // Documenso host. Both are per-port/per-env, so allow https: (matching
+  // img-src). frame-ancestors 'none' still blocks others from embedding us.
+  "frame-src 'self' blob: https:",
   "frame-ancestors 'none'",
   "base-uri 'self'",
   "form-action 'self'",
diff --git a/src/proxy.ts b/src/proxy.ts
index c141d567..4886aed1 100644
--- a/src/proxy.ts
+++ b/src/proxy.ts
@@ -29,6 +29,12 @@ function buildCspWithNonce(nonce: string, isProd: boolean): string {
     "img-src 'self' data: blob: https:",
     "font-src 'self' data:",
     connectSrc,
+    // PDF previews (signed EOIs etc.) iframe a presigned storage URL, and the
+    // embedded-signing card iframes the Documenso host. Both are per-port /
+    // per-env hosts, so allow https: (matching img-src/connect-src). This is
+    // what WE may embed; frame-ancestors 'none' below still blocks others
+    // from embedding us.
+    "frame-src 'self' blob: https:",
     "frame-ancestors 'none'",
     "base-uri 'self'",
     "form-action 'self'",