diff --git a/src/components/views/elements/AppTile.js b/src/components/views/elements/AppTile.js
index 79cf5969b3..66d6b1ff3a 100644
--- a/src/components/views/elements/AppTile.js
+++ b/src/components/views/elements/AppTile.js
@@ -119,15 +119,17 @@ export default React.createClass({
                 <div> Loading... </div>
             );
         } else {
+            // Note that there is advice saying allow-scripts shouldn;t be used with allow-same-origin
+            // because that would allow the iframe to prgramatically remove the sandbox attribute, but
+            // this would only be for content hosted on the same origin as the riot client: anything
+            // hosted on the same origin as the client will get the same access access as if you clicked
+            // a link to it.
+            const sandboxFlags = "allow-forms allow-popups allow-popups-to-escape-sandbox "+
+                "allow-same-origin allow-scripts";
             appTileBody = (
                 <div className="mx_AppTileBody">
-                    // Note that there is advice saying allow-scripts shouldn;t be used with allow-same-origin
-                    // because that would allow the iframe to prgramatically remove the sandbox attribute, but
-                    // this would only be for content hosted on the same origin as the riot client: anything
-                    // hosted on the same origin as the client will get the same access access as if you clicked
-                    // a link to it.
                     <iframe ref="appFrame" src={this.state.widgetUrl} allowFullScreen="true"
-                        sandbox="allow-forms allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"
+                        sandbox={sandboxFlags}
                     ></iframe>
                 </div>
             );