diff --git a/CHANGELOG.md b/CHANGELOG.md
index 453ea8a346..77a2aa4417 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -107,6 +107,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - The chip input api now provides an external add button
 - OmniSearchbar now makes use of the Combobox
 
+## [2.46.2] - 2024-03-04
+### Fixed
+- Rendering PDF files in source view
+
 ## [2.46.1] - 2023-09-01
 ### Fixed
 - Loading LFS files for imports and mirrors (from 2.44.3)
@@ -1468,6 +1472,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [2.45.1]: https://scm-manager.org/download/2.45.1
 [2.46.0]: https://scm-manager.org/download/2.46.0
 [2.46.1]: https://scm-manager.org/download/2.46.1
+[2.46.2]: https://scm-manager.org/download/2.46.2
 [2.47.0]: https://scm-manager.org/download/2.47.0
 [2.48.0]: https://scm-manager.org/download/2.48.0
 [2.48.1]: https://scm-manager.org/download/2.48.1
diff --git a/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java b/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java
index 50537fc56d..1ddca93bf7 100644
--- a/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java
+++ b/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java
@@ -54,8 +54,8 @@ public class SecurityHeadersFilter extends HttpFilter {
       response.setHeader("X-Content-Type-Options", "nosniff");
       response.setHeader("Content-Security-Policy",
         "form-action 'self'; " +
-          "object-src 'none'; " +
-          "frame-ancestors 'none'; " +
+          "object-src 'self'; " +
+          "frame-ancestors 'self'; " +
           "block-all-mixed-content"
       );
       response.setHeader("Permissions-Policy",