Thanks for the pointer to the php file, it worked perfectly editing that. did you ever find a way to have this set in docker vars? I have my html folder mounted on a volume outside of the container but i think it will still get overwritten when its updated, will have to see on the next update.
To expand on how to manually allow this after updating:
Locate the ContentSecurityPolicy.php located in your container volume, for example mine is
/nextcloud/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php
From there edit this
/** @var array Domains which can embed this Nextcloud instance */
protected $allowedFrameAncestors = [
'\'self\' https://*.yourdomain.url https://yourdomain.url',
];
replace yourdomain.url with the page you are allowing to embed
edit:
for those that find this method in the future. using the hide toolbars app is a much easier way of doing this. on top of allowing the headers to be hidden it exposes a way of allowing CSP urls directly in the config.php
see more details here