diff --git a/web/src/pages/StrategyMarketPage.tsx b/web/src/pages/StrategyMarketPage.tsx
index 588d8d34..0d39a883 100644
--- a/web/src/pages/StrategyMarketPage.tsx
+++ b/web/src/pages/StrategyMarketPage.tsx
@@ -20,7 +20,23 @@ export function StrategyMarketPage() {
         src="https://vergex.trade/explore"
         title={t('strategyMarket', language) || 'Strategy Market'}
         className="h-full w-full border-0"
-        allow="fullscreen; clipboard-write"
+        // Permission policy: keep minimal. `fullscreen` matches the existing
+        // DataPage iframe; `clipboard-write` was previously listed but is
+        // not needed by the embedded view and would let the iframe silently
+        // overwrite the user's clipboard (classic clipboard-hijack pattern,
+        // e.g. swap a copied wallet address). Drop it.
+        allow="fullscreen"
+        // Sandbox grants vergex.trade only what it actually needs to render
+        // the explore page: run scripts, talk to its own origin / wallet
+        // providers (allow-same-origin), submit search forms, open external
+        // links in new tabs. Notably absent:
+        //   - allow-top-navigation: prevents the iframe from navigating the
+        //     parent NOFX shell to an arbitrary URL.
+        //   - allow-modals / allow-pointer-lock / allow-orientation-lock:
+        //     not needed for a strategy list view.
+        //   - allow-storage-access-by-user-activation: keeps any third-party
+        //     storage access prompts out of the embedded surface.
+        sandbox="allow-scripts allow-same-origin allow-forms allow-popups allow-popups-to-escape-sandbox"
         referrerPolicy="strict-origin-when-cross-origin"
       />
     </div>