diff --git a/web/middleware/iframe-destroyer.js b/web/middleware/iframe-destroyer.js
index 1737480f3..13d6a7b2c 100644
--- a/web/middleware/iframe-destroyer.js
+++ b/web/middleware/iframe-destroyer.js
@@ -4,8 +4,9 @@ async function iframeDestroyerMiddleware(ctx, next) {
   const {
     request: { path },
   } = ctx;
+  const decodedPath = decodeURIComponent(path);
 
-  if (!path.startsWith(`/$/${PAGES.EMBED}`)) {
+  if (!decodedPath.startsWith(`/$/${PAGES.EMBED}`)) {
     ctx.set('X-Frame-Options', 'DENY');
   }