Thank you this solved my problem in Nextcloud 16!
I have since updated to Nextcloud 17 and have found the same problem.
Note: config/ is used, interchangeably, instead of var/ as my nextcloud installation is inside a docker container.
In Nextcloud 17 config/www/nextcloud/lib/private/legacy/response.php is instead used for sending fallback headers for installations that don’t have the possibility to send custom headers on the webserver side. This means it no longer needs to be edited to allow iFrame usage.
After updating to Nextcloud 17, response.php and ContentSecurityPolicy.php were restored to normal.
To allow iFrame usage you no longer need to edit response.php.
I needed to edit ContentSecurityPolicy.php as you had shown and config/nginx/site-confs/default.
The changes made to config/www/nextcloud/lib/public/AppFramework/Http/ContentSecurityPolicy.php were:
/** @var array Domains from which iframes can be loaded */
protected $allowedFrameDomains = [
'https://*.domain.tld',
];
protected $allowedFrameAncestors = [
'\'self\'',
'https://*.domain.tld',
];
The changes made to config/nginx/site-confs/default were:
add_header X-Frame-Options "allow-from https://*.domain.tld" always;
I hope this helps you.
There is currently a pull request to reflect these changes in the releases notes, https://github.com/nextcloud/documentation/pull/1630/files