diff --git a/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java b/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java
index ba348b67f6..67689a925c 100644
--- a/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java
+++ b/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java
@@ -42,8 +42,8 @@ public class SecurityHeadersFilter extends HttpFilter {
     response.setHeader("X-Content-Type-Options", "nosniff");
     response.setHeader("Content-Security-Policy",
         "form-action 'self'; " +
-        "object-src 'none'; " +
-        "frame-ancestors 'none'; " +
+        "object-src 'self'; " +
+        "frame-ancestors 'self'; " +
         "block-all-mixed-content"
     );
     response.setHeader("Permissions-Policy",