diff --git a/src/pretix/control/views/event.py b/src/pretix/control/views/event.py
index e7cd8a421..e85602d2a 100644
--- a/src/pretix/control/views/event.py
+++ b/src/pretix/control/views/event.py
@@ -316,8 +316,7 @@ class InvoicePreview(EventPermissionRequiredMixin, View):
     def get(self, request, *args, **kwargs):
         pdf = build_preview_invoice_pdf(request.event)
         resp = HttpResponse(pdf, content_type='application/pdf')
-        resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; script-src 'unsafe-inline'; object-src 'self'"
-        resp['Content-Disposition'] = 'inline; filename="invoice-preview.pdf"'
+        resp['Content-Disposition'] = 'attachment; filename="invoice-preview.pdf"'
         return resp
 
 
@@ -528,11 +527,7 @@ class TicketSettingsPreview(EventPermissionRequiredMixin, View):
         fname, mimet, data = tickets.preview(self.request.event.pk, self.output.identifier)
         resp = HttpResponse(data, content_type=mimet)
         ftype = fname.split(".")[-1]
-        if mimet == "application/pdf":
-            resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; script-src 'unsafe-inline'; object-src 'self'"
-            resp['Content-Disposition'] = 'inline; filename="ticket-preview.{}"'.format(ftype)
-        else:
-            resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype)
+        resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype)
         return resp
 
     def get_error_url(self) -> str:
diff --git a/src/pretix/plugins/ticketoutputpdf/views.py b/src/pretix/plugins/ticketoutputpdf/views.py
index c332f80b3..e6f693f7c 100644
--- a/src/pretix/plugins/ticketoutputpdf/views.py
+++ b/src/pretix/plugins/ticketoutputpdf/views.py
@@ -105,8 +105,7 @@ class EditorView(EventPermissionRequiredMixin, ChartContainingView, TemplateView
 
             resp = HttpResponse(data, content_type=mimet)
             ftype = fname.split(".")[-1]
-            resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; script-src 'unsafe-inline'; object-src 'self'"
-            resp['Content-Disposition'] = 'inline; filename="ticket-preview.{}"'.format(ftype)
+            resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype)
             return resp
         elif "data" in request.POST:
             if cf:
diff --git a/src/pretix/presale/views/order.py b/src/pretix/presale/views/order.py
index a3a447e9f..74b85b9fc 100644
--- a/src/pretix/presale/views/order.py
+++ b/src/pretix/presale/views/order.py
@@ -581,15 +581,9 @@ class OrderDownload(EventViewMixin, OrderDetailMixin, View):
             return render(self.request, "pretixbase/cachedfiles/pending.html", {})
         else:
             resp = FileResponse(ct.file.file, content_type=ct.type)
-            if ct.type == "application/pdf":
-                resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; script-src 'unsafe-inline'; object-src 'self'"
-                resp['Content-Disposition'] = 'inline; filename="{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension
-                )
-            else:
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension
-                )
+            resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
+                self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension
+            )
             return resp
 
     def _download_position(self):
@@ -620,17 +614,10 @@ class OrderDownload(EventViewMixin, OrderDetailMixin, View):
             return render(self.request, "pretixbase/cachedfiles/pending.html", {})
         else:
             resp = FileResponse(ct.file.file, content_type=ct.type)
-            if ct.type == "application/pdf":
-                resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; script-src 'unsafe-inline'; object-src 'self'"
-                resp['Content-Disposition'] = 'inline; filename="{}-{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
-                    self.output.identifier, ct.extension
-                )
-            else:
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
-                    self.output.identifier, ct.extension
-                )
+            resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
+                self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
+                self.output.identifier, ct.extension
+            )
             return resp
 
 
@@ -660,6 +647,5 @@ class InvoiceDownload(EventViewMixin, OrderDetailMixin, View):
             return redirect(self.get_order_url())
 
         resp = FileResponse(invoice.file.file, content_type='application/pdf')
-        resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; script-src 'unsafe-inline'; object-src 'self'"
-        resp['Content-Disposition'] = 'inline; filename="{}.pdf"'.format(invoice.number)
+        resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number)
         return resp