diff --git a/lib/Listener/AddContentSecurityPolicyListener.php b/lib/Listener/AddContentSecurityPolicyListener.php
index edbac8ff8a..ced4bb2664 100644
--- a/lib/Listener/AddContentSecurityPolicyListener.php
+++ b/lib/Listener/AddContentSecurityPolicyListener.php
@@ -25,6 +25,7 @@
 namespace OCA\Richdocuments\Listener;
 
 use OCA\Richdocuments\AppConfig;
+use OCA\Richdocuments\Service\CapabilitiesService;
 use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
 use OCP\EventDispatcher\Event;
 use OCP\EventDispatcher\IEventListener;
@@ -36,6 +37,7 @@ class AddContentSecurityPolicyListener implements IEventListener {
 	public function __construct(
 		private IRequest $request,
 		private AppConfig $config,
+		private CapabilitiesService $capabilitiesService,
 	) {
 	}
 
@@ -51,7 +53,10 @@ public function handle(Event $event): void {
 		$policy = new EmptyContentSecurityPolicy();
 		$policy->addAllowedFrameDomain("'self'");
 		$policy->addAllowedFrameDomain("nc:");
-		$policy->allowEvalWasm(true);
+
+		if ($this->capabilitiesService->hasWASMSupport()) {
+			$policy->allowEvalWasm(true);
+		}
 
 		foreach ($this->config->getDomainList() as $url) {
 			$policy->addAllowedFrameDomain($url);
diff --git a/lib/Listener/BeforeTemplateRenderedListener.php b/lib/Listener/BeforeTemplateRenderedListener.php
index 775c1925bb..acad7dd035 100644
--- a/lib/Listener/BeforeTemplateRenderedListener.php
+++ b/lib/Listener/BeforeTemplateRenderedListener.php
@@ -4,20 +4,27 @@
 
 namespace OCA\Richdocuments\Listener;
 
+use OCA\Richdocuments\Service\CapabilitiesService;
 use OCP\AppFramework\Http\Events\BeforeTemplateRenderedEvent;
 use OCP\EventDispatcher\Event;
 use OCP\EventDispatcher\IEventListener;
 
 /** @template-implements IEventListener<BeforeTemplateRenderedEvent|Event> */
 class BeforeTemplateRenderedListener implements IEventListener {
+	private CapabilitiesService $capabilitiesService;
+
+	public function __construct(CapabilitiesService $capabilitiesService) {
+		$this->capabilitiesService = $capabilitiesService;
+	}
+
 	public function handle(Event $event): void {
 		if (!$event instanceof BeforeTemplateRenderedEvent) {
 			return;
 		}
 
-		// FIXME: Might be too wide, we should only do this when needed
-
-		//$event->getResponse()->addHeader('Cross-Origin-Opener-Policy', 'unsafe-none');
-		//$event->getResponse()->addHeader('Cross-Origin-Embedder-Policy', 'require-corp');
+		if ($this->capabilitiesService->hasWASMSupport()) {
+			$event->getResponse()->addHeader('Cross-Origin-Opener-Policy', 'same-origin');
+			$event->getResponse()->addHeader('Cross-Origin-Embedder-Policy', 'require-corp');
+		}
 	}
 }
diff --git a/lib/Service/CapabilitiesService.php b/lib/Service/CapabilitiesService.php
index df9df32b80..7bd316f5c9 100644
--- a/lib/Service/CapabilitiesService.php
+++ b/lib/Service/CapabilitiesService.php
@@ -114,6 +114,10 @@ public function hasZoteroSupport(): bool {
 		return $this->getCapabilities()['hasZoteroSupport'] ?? false;
 	}
 
+	public function hasWASMSupport(): bool {
+		return $this->getCapabilities()['hasWASMSupport'] ?? false;
+	}
+
 	public function getProductName(): string {
 		$theme = $this->config->getAppValue(Application::APPNAME, 'theme', 'nextcloud');