diff --git a/seahub/templates/snippets/office_convert_js.html b/seahub/templates/snippets/office_convert_js.html
index e9c5a44abe..c06a528a84 100644
--- a/seahub/templates/snippets/office_convert_js.html
+++ b/seahub/templates/snippets/office_convert_js.html
@@ -20,7 +20,8 @@ var OfficePreviewer = function(file_id, preview_token) {
             $.param({file_id: this.file_id, page: page});
     }
     this.page_content_url = function(page) {
-        return "{% url 'office_convert_get_page' obj_id %}/" + page + '.page';
+        return "{% url 'office_convert_get_page' obj_id %}/"
+            + page + '.page?office_preview_token=' + this.preview_token;
     }
 
     var url = window.location.href;
diff --git a/seahub/views/file.py b/seahub/views/file.py
index 37f76f3eb9..a83e250745 100644
--- a/seahub/views/file.py
+++ b/seahub/views/file.py
@@ -1382,11 +1382,11 @@ def office_convert_get_page(request, path, internal=False):
         return HttpResponseForbidden()
 
     file_id = m.group(1)
-    # if path.endswith('file.css'):
-    #     pass
-    # else:
-    #     if request.office_preview_token != do_md5(file_id + settings.SECRET_KEY):
-    #         return HttpResponseForbidden()
+    if path.endswith('file.css'):
+        pass
+    else:
+        if request.office_preview_token != do_md5(file_id + settings.SECRET_KEY):
+            return HttpResponseForbidden()
 
     resp = get_office_converted_page(request, path, file_id, internal=internal)
     resp['Content-Type'] = 'text/html'