diff --git a/src/calibre/gui2/tweak_book/preview.py b/src/calibre/gui2/tweak_book/preview.py
index c7dff003e8..595fb800fd 100644
--- a/src/calibre/gui2/tweak_book/preview.py
+++ b/src/calibre/gui2/tweak_book/preview.py
@@ -145,6 +145,7 @@ class ParseWorker(Thread):
     def is_alive(self):
         return Thread.is_alive(self) or (hasattr(self, 'worker') and self.worker.is_alive())
 
+
 parse_worker = ParseWorker()
 # }}}
 
@@ -280,6 +281,7 @@ class WebPage(QWebPage):
         settings.setAttribute(settings.PrivateBrowsingEnabled, True)
         settings.setAttribute(settings.JavascriptCanOpenWindows, False)
         settings.setAttribute(settings.JavascriptCanAccessClipboard, False)
+        settings.setAttribute(settings.LocalContentCanAccessFileUrls, False)  # ensure javascript cannot read from local files
         settings.setAttribute(settings.LinksIncludedInFocusChain, False)
         settings.setAttribute(settings.DeveloperExtrasEnabled, True)
         settings.setDefaultTextEncoding('utf-8')
diff --git a/src/calibre/gui2/viewer/documentview.py b/src/calibre/gui2/viewer/documentview.py
index d96c1166ca..a45ff8962b 100644
--- a/src/calibre/gui2/viewer/documentview.py
+++ b/src/calibre/gui2/viewer/documentview.py
@@ -53,6 +53,7 @@ def apply_basic_settings(settings):
     settings.setAttribute(QWebSettings.PluginsEnabled, False)
     settings.setAttribute(QWebSettings.JavascriptCanOpenWindows, False)
     settings.setAttribute(QWebSettings.JavascriptCanAccessClipboard, False)
+    settings.setAttribute(QWebSettings.LocalContentCanAccessFileUrls, False)  # ensure javascript cannot read from local files
     # PrivateBrowsing disables console messages
     # settings.setAttribute(QWebSettings.PrivateBrowsingEnabled, True)
     settings.setAttribute(QWebSettings.NotificationsEnabled, False)
@@ -1435,5 +1436,3 @@ class DocumentView(QWebView):  # {{{
             self.link_clicked(qurl)
 
 # }}}
-
-