Jupyterlab can not display embedded pages (e.g. formgrader)

Hi all,

i installed jupyterhub on a server running Ubuntu 24.04 using conda this guide. nginx is used as a reverse-proxy. I installed and configured nbgrader, but opening formgrader inside jupyterlab results in a browser error

Firefox Can’t Open This Page
To protect your security, <server-ip> will not allow Firefox to display the page if another site has embedded it. ...

I can open the page in a different browser TAB directly
https://<server-ip>/jupyter/user/<name>/formgrader/manage_assignments
but not inside jupyterlab.

II have played around with the settings of nginx but without success. I tried:
add_header X-Frame-Options "";
or
add_header X-Frame-Options "SAMEORIGIN";
but no success.

Any ideas?
Thanks,
Jan

Current nginx config is from this guide:
/etc/nginx/sites-available/default

map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

server {
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;
	
        include snippets/self-signed.conf;
        include snippets/ssl-params.conf;

	root /var/www/html;
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

        location /jupyter/ {
            proxy_pass http://127.0.0.1:9000;
        
            proxy_redirect   off;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
}

/etc/nginx/snippets/ssl-params.conf:

ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; 
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver <ip1> <ip2> valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options "";
#add_header X-Content-Type-Options nosniff;
#add_header X-XSS-Protection "1; mode=block";

Try opening your browser console- check the error messages, and headers in the network tab

is another way of blocking embedding, either using headers or a meta tag in the HTML.

Yes, I see a CSP in the browser console.

But if I add the setting for nginx
add_header content-security-policy "frame-ancestors 'self';";

Two CSPs show up in the browser page:

I grep for content-security in all files in /etc/nginx but there is no other CSP option set there.
I have no idea where the “frame-ancestors ‘none’;” policy is set.

So I wonder whether this might related to configurable-http-proxy or jupyterhub itself?

OK, I found a solution, added in the server-section for jupyterhub in
/etc/nginx/sites-available/default

            proxy_hide_header content-security-policy;
            add_header content-security-policy "frame-ancestors 'self';";