Refused to frame 'http://127.0.0.1:8099/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'"

Recently, we have built a jupyterHub using Z2JH，jupyterHub can be used normally，and Integrate the notebook into third-party pages by iframe.
We can open the login page, but there was an error after logging in.

Refused to frame 'http://127.0.0.1:8099/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

The helm config.yaml

# This file can update the JupyterHub Helm chart's default configuration values.
#
# For reference see the configuration reference and default values, but make
# sure to refer to the Helm chart version of interest to you!
#
# Introduction to YAML:     https://www.youtube.com/watch?v=cdLNKUoMc6c
# Chart config reference:   https://zero-to-jupyterhub.readthedocs.io/en/stable/resources/reference.html
# Chart default values:     https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/e2dfd47e7ebcd52af19d191aec5bd93038bac90a/jupyterhub/values.yaml
# Available chart versions: https://hub.jupyter.org/helm-chart/
#
singleuser:
  storage:
    dynamic:
      storageClass: managed-nfs-storage
  defaultUrl: "/lab"
  extraEnv:
    JUPYTERHUB_SINGLEUSER_APP: "jupyter_server.serverapp.ServerApp"
  image:
    name: quay.io/jupyter/base-notebook
    tag: latest
  cmd: null
  startTimeout: 3600
hub:
  baseUrl: "/jupyter"
  db:
    type: sqlite-memory
  config:
    Authenticator:
      admin_users:
        - jovyan
      # allowed_users:
        # - xxx01
        # - xxx02
    DummyAuthenticator:
      password: jupyter
    JupyterHub:
      admin_access: true
      authenticator_class: dummy
  extraConfig:
    jupyterhub_config: |
      c.Spawner.args = ['--NotebookApp.allow_origin=*']
      c.JupyterHub.tornado_settings = {'headers': {'Content-Security-Policy': "frame-ancestors * 'self' "}}
debug:
  enabled: true

nginx:

location /jupyter/ {
            proxy_pass http://192.168.129.15:80;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-Scheme $scheme;
            proxy_set_header REMOTE-HOST $remote_addr;
            add_header X-Cache $upstream_cache_status;
            # websocket headers
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header Origin "";

            proxy_redirect off;
            proxy_buffering off;
        }

version:

docker：20.10.8
kubectl, kubeadm, kubectl：1.23.6
kubernetes：1.24.1
helm：3.3.8

Any suggestions would be very useful, thank you！

You will need to also set the CSP header (ServerApp.tornado_settings = ... just like you have for JupyterHub) in single-user servers, e.g. by creating a jupyter_server_config.py in the container with singleuser.extraFiles.

Note that frame-ancestors * and allow_origin=* do expose your users to CSRF attacks. It would be better to only explicitly grant access to your site that is iframing the Hub, rather than granting permission for every page on the Internet to do the same.

Thanks for you help, it worked!
add configuration item

singleuser:
 extraFiles:
    jupyter_server_config:
      mountPath: /etc/jupyter/jupyter_server_config.py

Copy and modify this file from the image - base-notebook

Just for testing purposes, so they are all set with an asterisk (*)

Then add this file to the helm command

helm upgrade --cleanup-on-fail \
  --install telehub jupyterhub/jupyterhub \
  --namespace telehub \
  --create-namespace \
  --version=3.3.8 \
  --set-file singleuser.extraFiles.jupyter_server_config.stringData=./jupyter_server_config.py \
  --values config.yaml

This is the way we adjust, I wonder if there is a more concise way to use it?