diff --git a/samples/client/lit/custom-components-example/ui/custom-components/mcp-apps-component.ts b/samples/client/lit/custom-components-example/ui/custom-components/mcp-apps-component.ts
index 201738b6d..aad77bfef 100644
--- a/samples/client/lit/custom-components-example/ui/custom-components/mcp-apps-component.ts
+++ b/samples/client/lit/custom-components-example/ui/custom-components/mcp-apps-component.ts
@@ -76,7 +76,6 @@ export class McpApp extends Root {
         <iframe
           id="mcp-sandbox"
           referrerpolicy="origin"
-          sandbox="allow-scripts allow-forms allow-popups allow-modals allow-same-origin"
         ></iframe>
       </div>
     `;
@@ -176,7 +175,7 @@ export class McpApp extends Root {
     // 4. Send the Inner HTML UI resource to the sandbox to spin up the actual app.
     await this.bridge.sendSandboxResourceReady({
       html: this.htmlContent,
-      sandbox: "allow-scripts allow-forms allow-popups allow-modals allow-same-origin"
+      sandbox: "allow-scripts allow-forms allow-popups allow-modals"
     });
   }
 
diff --git a/samples/client/shared/mcp_apps_inner_iframe/sandbox.ts b/samples/client/shared/mcp_apps_inner_iframe/sandbox.ts
index fd52381d5..353fefa64 100644
--- a/samples/client/shared/mcp_apps_inner_iframe/sandbox.ts
+++ b/samples/client/shared/mcp_apps_inner_iframe/sandbox.ts
@@ -63,7 +63,7 @@ if (!disableSelfTest) {
 // iframe on a separate origin. It creates an inner iframe for untrusted HTML content.
 const inner = document.createElement("iframe");
 inner.style.cssText = "width:100%; height:100%; border:none;";
-inner.setAttribute("sandbox", "allow-scripts allow-same-origin allow-forms");
+inner.setAttribute("sandbox", "allow-scripts allow-forms allow-popups allow-modals");
 document.body.appendChild(inner);
 
 const RESOURCE_READY_NOTIFICATION: McpUiSandboxResourceReadyNotification["method"] =