diff --git a/config.example.js b/config.example.js
index bcc7a6773..a075b7bb2 100644
--- a/config.example.js
+++ b/config.example.js
@@ -91,6 +91,8 @@ module.exports = {
     // cross-domain iframe. It can simply host the same content as CryptPad.
     // httpSafeOrigin: "https://some-other-domain.xyz",
 
+    httpUnsafeOrigin: domain,
+
     /*  your server's websocket url is configurable
      *  (default: '/cryptpad_websocket')
      *
diff --git a/server.js b/server.js
index 771d055af..a51c94343 100644
--- a/server.js
+++ b/server.js
@@ -150,6 +150,7 @@ app.get('/api/config', function(req, res){
             websocketPath: config.useExternalWebsocket ? undefined : config.websocketPath,
             websocketURL:'ws' + ((useSecureWebsockets) ? 's' : '') + '://' + host + ':' +
                 websocketPort + '/cryptpad_websocket',
+            httpUnsafeOrigin: config.httpUnsafeOrigin,
         }, null, '\t'),
         'obj.httpSafeOrigin = ' + (function () {
             if (config.httpSafeOrigin) { return config.httpSafeOrigin; }