diff --git a/CHANGELOG.md b/CHANGELOG.md
index ee3b90e97..9b64b1c4c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@
 - Security: Fix remote image blocking bypass via various SVG animate attributes
 - Security: Fix remote image blocking bypass via a crafted body background attribute
 - Security: Fix fixed position mitigation bypass via use of !important
+- Security: Fix XSS issue in a HTML attachment preview
 
 ## Release 1.5.13
 
diff --git a/program/include/rcmail_action.php b/program/include/rcmail_action.php
index 110515513..da966a9be 100644
--- a/program/include/rcmail_action.php
+++ b/program/include/rcmail_action.php
@@ -683,6 +683,9 @@ abstract class rcmail_action
             header('Content-Type: ' . $file['mimetype']);
             header('Content-Length: ' . $file['size']);
 
+            // Use strict security policy to make sure no javascript is executed
+            header("Content-Security-Policy: script-src 'none'");
+
             if (isset($file['data']) && is_string($file['data'])) {
                 echo $file['data'];
             }