diff --git a/.htaccess b/.htaccess
index 449dcc730..faa8201c8 100644
--- a/.htaccess
+++ b/.htaccess
@@ -26,7 +26,6 @@
 #	Header set Strict-Transport-Security "max-age=31536000"
 	Header set imagetoolbar "no"
 #	Header set X-Content-Type-Options "nosniff"
-#	Header set X-Frame-Options "DENY"
 #	Header set X-XSS-Protection "1; mode=block"
 	Header set Service-Worker-Allowed "/"
 
diff --git a/snappymail/v/0.0.0/app/libraries/snappymail/http/csp.php b/snappymail/v/0.0.0/app/libraries/snappymail/http/csp.php
index a9d29d6c0..cc828ee49 100644
--- a/snappymail/v/0.0.0/app/libraries/snappymail/http/csp.php
+++ b/snappymail/v/0.0.0/app/libraries/snappymail/http/csp.php
@@ -29,8 +29,8 @@ class CSP
 	{
 		if ($default) {
 			foreach (\explode(';', $default) as $directive) {
-				$values = \explode(' ', $directive);
-				$name = \str_replace('-', '_', \preg_replace('/-(src)$/D', '', \trim(\array_shift($values))));
+				$values = \preg_split('/\\s+/', $directive);
+				$name = \str_replace('-', '_', \preg_replace('/-(src|uri)$/D', '', \trim(\array_shift($values))));
 				$this->$name = \array_unique(\array_merge($this->$name, $values));
 			}
 		}
@@ -73,6 +73,11 @@ class CSP
 		} else {
 			\header('Content-Security-Policy: ' . $this);
 		}
+		if (!$this->frame_ancestors) {
+			\header('X-Frame-Options: DENY');
+		} else {
+//			\header('X-Frame-Options: SAMEORIGIN');
+		}
 	}
 
 	public static function logReport() : void