renge/element-web: Fix frame-ancestors CSP

Something changed in how Firefox interprets the CSP, which made loading
element web fail.

machines/renge/services/element-web.nix

@@ -3,20 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 { lib, pkgs, ... }:
-let
+
-  # This uses
-  # https://github.com/vector-im/element-web#configuration-best-practices
-  # but allows to disable the frame-ancestors rule for /usercontent/.
-  mkSecurityHeaders = withFrameOptions: ''
-    add_header X-Content-Type-Options nosniff;
-    add_header X-Frame-Options SAMEORIGIN;
-    add_header X-XSS-Protection "1; mode=block";
-  '' + lib.optionalString withFrameOptions ''
-    add_header Content-Security-Policy "frame-ancestors 'none'";
-  '' + lib.optionalString (!withFrameOptions) ''
-    add_header Content-Security-Policy "frame-ancestors 'self'";
-  '';
-in
 {
   services.nginx.virtualHosts."chat.sbruder.de" = {
     enableACME = true;
@@ -24,8 +11,13 @@ in
 
     root = pkgs.element-web;
 
-    extraConfig = mkSecurityHeaders true;
+    # https://github.com/vector-im/element-web#configuration-best-practices
-    locations."/usercontent/".extraConfig = mkSecurityHeaders false;
+    extraConfig = ''
+      add_header X-Content-Type-Options nosniff;
+      add_header X-Frame-Options SAMEORIGIN;
+      add_header X-XSS-Protection "1; mode=block";
+      add_header Content-Security-Policy "frame-ancestors 'self'";
+    '';
 
     # nixpkgs’s override mechanism doesn’t allow overriding of all options
     locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } {