diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf
index 6a9d268e8..4dc2d5068 100644
--- a/docs/example.nginx.conf
+++ b/docs/example.nginx.conf
@@ -63,12 +63,8 @@ server {
     # Opt out of Google's FLoC Network
     add_header Permissions-Policy interest-cohort=();
 
-    set $coop '';
-    #if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
-
     # Enable SharedArrayBuffer in Firefox (for .xlsx export)
     add_header Cross-Origin-Resource-Policy cross-origin;
-    add_header Cross-Origin-Opener-Policy $coop;
     add_header Cross-Origin-Embedder-Policy require-corp;
 
     # Insert the path to your CryptPad repository root here
@@ -87,23 +83,23 @@ server {
     add_header Cache-Control $cacheControl;
 
     # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
-    set $styleSrc   "'unsafe-inline' 'self' ${main_domain}";
+    set $styleSrc   "'unsafe-inline' 'self' https://${main_domain}";
 
     # connect-src restricts URLs which can be loaded using script interfaces
-    set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}";
+    set $connectSrc "'self' https://${main_domain} https://${api_domain} blob: wss://${api_domain} https://${files_domain} https://${sandbox_domain}";
 
     # fonts can be loaded from data-URLs or the main domain
-    set $fontSrc    "'self' data: ${main_domain}";
+    set $fontSrc    "'self' data: https://${main_domain}";
 
     # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
-    set $imgSrc     "'self' data: blob: ${main_domain} ${sandbox_domain}";
+    set $imgSrc     "'self' data: blob: https://${main_domain}";
 
     # frame-src specifies valid sources for nested browsing contexts.
     # this prevents loading any iframes from anywhere other than the sandbox domain
-    set $frameSrc   "'self' ${sandbox_domain} blob:";
+    set $frameSrc   "'self' https://${sandbox_domain} blob:";
 
     # specifies valid sources for loading media using video or audio
-    set $mediaSrc   "'self' data: blob: ${main_domain} ${sandbox_domain}";
+    set $mediaSrc   "blob:";
 
     # defines valid sources for webworkers and nested browser contexts
     # deprecated in favour of worker-src and frame-src
@@ -111,10 +107,10 @@ server {
 
     # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
     # supercedes child-src but is unfortunately not yet universally supported.
-    set $workerSrc  "https://${main_domain}";
+    set $workerSrc  "'self'";
 
     # script-src specifies valid sources for javascript, including inline handlers
-    set $scriptSrc  "'self' resource: ${main_domain}";
+    set $scriptSrc  "'self' resource: https://${main_domain}";
 
     set $unsafe 0;
     # the following assets are loaded via the sandbox domain
@@ -132,7 +128,7 @@ server {
 
     # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
     if ($unsafe) {
-        set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}";
+        set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
     }
 
     # Finally, set all the rules you composed above.
diff --git a/lib/defaults.js b/lib/defaults.js
index d924c0004..83ed582af 100644
--- a/lib/defaults.js
+++ b/lib/defaults.js
@@ -16,9 +16,9 @@ Default.commonCSP = function (domain, sandbox) {
          *  it is recommended that you configure these fields to match the
          *  domain which will serve your CryptPad instance.
          */
-        "child-src " + domain, //'self' blob: " + domain + sandbox,
+        "child-src " + domain,
         // IE/Edge
-        `frame-src 'self' blob:${sandbox}/* blob:${domain}/* ${sandbox}`,
+        "frame-src 'self' blob: " + sandbox,
 
         /*  this allows connections over secure or insecure websockets
             if you are deploying to production, you'll probably want to remove
@@ -32,7 +32,7 @@ Default.commonCSP = function (domain, sandbox) {
 
         // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
         "frame-ancestors *",
-        "worker-src 'self'", // + domain + sandbox,
+        "worker-src 'self'",
         ""
     ];
 };
diff --git a/www/checkup/main.js b/www/checkup/main.js
index e54b0b98c..991523e5a 100644
--- a/www/checkup/main.js
+++ b/www/checkup/main.js
@@ -930,6 +930,8 @@ define([
                     $outer,
                     $sandbox,
                     /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
+                    // XXX https://$files_domain
+                    // XXX wss://$api_domain
                 ],
 
                 'img-src': ["'self'", 'data:', 'blob:', $outer],
@@ -966,6 +968,11 @@ define([
                     $outer,
                     $sandbox,
                     /https:\/\//.test($outer)? $outer.replace('https://', 'wss://') : 'ws:',
+<<<<<<< HEAD
+=======
+                    // XXX https://$files_domain
+                    // XXX wss://$api_domain
+>>>>>>> soon
                 ],
                 'img-src': ["'self'", 'data:', 'blob:', $outer],
                 'media-src': ['blob:'],