diff --git a/core/src/io/anuke/mindustry/mod/Scripts.java b/core/src/io/anuke/mindustry/mod/Scripts.java
index 4de51215a0..f55a52571d 100644
--- a/core/src/io/anuke/mindustry/mod/Scripts.java
+++ b/core/src/io/anuke/mindustry/mod/Scripts.java
@@ -1,10 +1,12 @@
 package io.anuke.mindustry.mod;
 
+import io.anuke.arc.files.*;
 import org.graalvm.polyglot.*;
 
 public class Scripts{
     //TODO allowHostAccess(...) is obviously insecure
-    private Context context = Context.newBuilder("js").allowHostClassLookup(s -> s.startsWith("io.anuke.mindustry")).allowHostAccess(HostAccess.ALL).build();
+    private Context context = Context.newBuilder("js").allowHostClassLookup(s -> s.startsWith("io.anuke.mindustry"))
+        .allowHostAccess(HostAccess.newBuilder().allowPublicAccess(true).denyAccess(FileHandle.class).build()).build();
 
     public Scripts(){
         context.eval("js", "console.log(\"Initialized JS context.\")");