From c82bf50708c08707d968a7d393b5c759c82d22c6 Mon Sep 17 00:00:00 2001
From: curious-jeremy <53039106+curious-jeremy@users.noreply.github.com>
Date: Tue, 2 Jun 2020 16:18:01 +0200
Subject: [PATCH] Properly set the iframing headers

- Use `more_set_headers` for the `X-Frame-Options: ALLOW-FROM`, because we actually need to replace the `SAMEORIGIN` option which is already set. Note that this directive is obsolete and is used only for old browser support purpose.
- Add an additional `Content-Security-Policy` header with the correct content. This header is the one checked by modern browsers (such as Firefox or Chrome) to allow iframing.
---
 conf/nginx.conf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/conf/nginx.conf b/conf/nginx.conf
index d225572..19e417c 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -10,5 +10,6 @@ location ^~ __PATH__/ {
   proxy_redirect    off;
   proxy_set_header  Host $host;
   proxy_set_header  X-Real-IP $remote_addr;
-  add_header X-Frame-Options "ALLOW-FROM https://__NEXTCLOUDDOMAIN__" always;
-}
\ No newline at end of file
+  more_set_headers "X-Frame-Options: ALLOW-FROM https://__NEXTCLOUDDOMAIN__";
+  add_header Content-Security-Policy "frame-ancestors __NEXTCLOUDDOMAIN__" always;
+}