diff --git a/hosts/common/programs/epiphany.nix b/hosts/common/programs/epiphany.nix
index 57b94a21..c561daff 100644
--- a/hosts/common/programs/epiphany.nix
+++ b/hosts/common/programs/epiphany.nix
@@ -8,6 +8,15 @@
 { pkgs, ... }:
 {
   sane.programs.epiphany = {
+    sandbox.method = "bwrap";
+    sandbox.extraConfig = [
+      # default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
+      # enabling DRM (as below) seems to fix that.
+      "--sane-sandbox-path" "/dev/dri"
+      "--sane-sandbox-path" "/sys/dev/char"
+      "--sane-sandbox-path" "/sys/devices"
+    ];
+    fs."tmp" = {};
     # XXX(2023/07/08): running on moby without `WEBKIT_DISABLE_SANDBOX...` fails, with:
     # - `bwrap: Can't make symlink at /var/run: File exists`
     # this could be due to: