Frame ancestor is set to none even though it's not

Question

I'm running a matrix synapse instance with OpenID Keycloak and as web-client, I use Riot. I receive has refused to connect with : "Refused to frame 'https://matrix.domain.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

However I have no problem connecting to it through Riot, I get the error when I display Riot in an iframe and try login, all the websites are of same domain wildcard.

My nginx config on matrix.instance.com is

server { server_name matrix.domain.com; root /var/www/matrix.domain.com; index index.html; #add_header 'Access-Control-Allow-Origin' '*'; add_header Content-Security-Policy "frame-ancestors https://website1.domain.com https://website2.domain.com> location / { proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_pass http://localhost:8008; }

Answer 1

I have found the solution, matrix-synapse throws the flag from this directory /opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/server.py

The flag is declared within this file. Hence giving you issues when reverse proxying synapse.