diff --git a/config.example.js b/config.example.js
index d5b0c5dbf..c7a831b4c 100644
--- a/config.example.js
+++ b/config.example.js
@@ -45,6 +45,9 @@ module.exports = {
 
         // data: is used by codemirror
         "img-src 'self' data: blob:",
+
+        // for accounts.cryptpad.fr authentication
+        "frame-ancestors 'self' accounts.cryptpad.fr",
     ].join('; '),
 
     // CKEditor requires significantly more lax content security policy in order to function.
diff --git a/server.js b/server.js
index eb16fbcf1..289184d8a 100644
--- a/server.js
+++ b/server.js
@@ -34,6 +34,11 @@ var setHeaders = (function () {
     const headers = clone(config.httpHeaders);
     if (config.contentSecurity) {
         headers['Content-Security-Policy'] = clone(config.contentSecurity);
+        if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {
+            // backward compat for those who do not merge the new version of the config
+            // when updating. This prevents endless spinner if someone clicks donate.
+            headers['Content-Security-Policy'] += "frame-ancestors 'self' accounts.cryptpad.fr;";
+        }
     }
     const padHeaders = clone(headers);
     if (config.padContentSecurity) {