For NextCloud 21, modify values in:
/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
in the buildPolicy function by changing the section under allowedFrameDomains (line 499) to:
“frame-src https://*.yourdomain.com”
and in the section allowedFrameAncestors (line 509) to:
“frame-ancestors https://*.yourdomain.com”
Also still comment out the “X-Frame-Options: SAMEORIGIIN” line in /lib/private/legacy/OC_Response.php to ensure values from the Content-Security-Policy header govern X-Frame rules instead.