diff --git a/plugins/storage/server/api/files.ts b/plugins/storage/server/api/files.ts
index 08cfae8ab3..303ae75b79 100644
--- a/plugins/storage/server/api/files.ts
+++ b/plugins/storage/server/api/files.ts
@@ -102,7 +102,15 @@ router.get(
     ctx.set("Access-Control-Allow-Origin", "*");
     ctx.set("Cache-Control", cacheHeader);
     ctx.set("Content-Type", contentType);
-    ctx.set("Content-Security-Policy", "sandbox");
+    ctx.set(
+      "Content-Security-Policy",
+      // Safari will not render PDFs in an embed if the sandbox directive is used, so we use a
+      // tight CSP in that case. For all other file types we use the strict sandbox directive
+      // which blocks all content from being loaded and rendered.
+      contentType === "application/pdf"
+        ? "default-src 'self'; object-src 'self'; base-uri 'none';"
+        : "sandbox"
+    );
     ctx.set(
       "Content-Disposition",
       contentDisposition(fileName, {
diff --git a/shared/editor/components/PDF.tsx b/shared/editor/components/PDF.tsx
index 0c0666d18a..f0da78f5dd 100644
--- a/shared/editor/components/PDF.tsx
+++ b/shared/editor/components/PDF.tsx
@@ -111,8 +111,10 @@ export default function PdfViewer(props: Props) {
         title={name}
         src={href}
         ref={embedRef}
-        type="application/pdf"
-        width={width}
+        width={
+          // subtract padding and borders from width
+          width - 24
+        }
         height={height}
         style={{
           pointerEvents: