diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf
index 6124b117a..f5c0e1643 100644
--- a/docs/example.nginx.conf
+++ b/docs/example.nginx.conf
@@ -125,8 +125,12 @@ server {
     # script-src specifies valid sources for javascript, including inline handlers
     set $scriptSrc  "'self' resource: https://${main_domain}";
 
-    # XXX frame-ancestors defines where your cryptpad instance can be embedded...
-    set $frameAncestors "https://${main_domain} $https://${sandbox_domain}";
+    # frame-ancestors specifies which origins can embed your CryptPad instance
+    # this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work
+    # if you have enabled remote embedding via the admin panel then this must be more permissive.
+    # note: cryptpad.fr permits web pages served via https: and vector: (element desktop app)
+    set $frameAncestors "'self' https://${main_domain}";
+    # set $frameAncestors "'self' https: vector:";
 
     set $unsafe 0;
     # the following assets are loaded via the sandbox domain
diff --git a/lib/defaults.js b/lib/defaults.js
index a3d5acfe3..524ef0720 100644
--- a/lib/defaults.js
+++ b/lib/defaults.js
@@ -32,7 +32,7 @@ Default.commonCSP = function (Env) {
         "media-src blob:",
 
         // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
-        Env.enableEmbedding?  `frame-ancestors 'self' ${Env.protocol}`: `frame-ancestors ${domain}${sandbox}`,
+        Env.enableEmbedding?  `frame-ancestors 'self' ${Env.protocol} vector:`: `frame-ancestors 'self' ${domain}`,
         "worker-src 'self'",
         ""
     ];
diff --git a/www/checkup/main.js b/www/checkup/main.js
index 2b8caf7d7..01192cfce 100644
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@@ -990,7 +990,7 @@ define([
 
                 'img-src': ["'self'", 'data:', 'blob:', $outer],
                 'media-src': ['blob:'],
-                'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox],
+                'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol, 'vector:']: ["'self'", $outer],
                 'worker-src': ["'self'"],
             });
             cb(result);
@@ -1028,7 +1028,7 @@ define([
                 ],
                 'img-src': ["'self'", 'data:', 'blob:', $outer],
                 'media-src': ['blob:'],
-                'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol]: [$outer, $sandbox],
+                'frame-ancestors': ApiConfig.enableEmbedding? ["'self'", window.location.protocol, 'vector:']: ["'self'", $outer],
                 'worker-src': ["'self'"],//, $outer, $sandbox],
             });