diff --git a/src-tauri/src/main.rs b/src-tauri/src/main.rs
index 5793f43..03ca5d0 100644
--- a/src-tauri/src/main.rs
+++ b/src-tauri/src/main.rs
@@ -829,8 +829,12 @@ fn main() {
             #[cfg(not(windows))]
                 let window_origin = "phtauri://localhost";
 
+            // Wildcard ACAO so CORS succeeds for null-origin sandboxed iframes (the
+            // markdown viewer is sandboxed without allow-same-origin to contain
+            // untrusted markdown). Safe: phtauri://localhost isn't reachable from
+            // outside the Tauri webview, and these responses carry no credentials.
             let builder = ResponseBuilder::new()
-                .header("Access-Control-Allow-Origin", window_origin)
+                .header("Access-Control-Allow-Origin", "*")
                 .header("Origin", window_origin)
                 .header("Cache-Control", "private, max-age=7776000, immutable") // 3 month cache age expiry
                 .mimetype(&asset.mime_type);