Owncloud Content-Security-Policy origin issue (?)

(URLs below with # chars due to n00b link restrictions in post)

So I have an otherwise fully functional OwnCloud server, with the RichDocuments plugin enabled. I’ve managed to get a CODE install running on the same box, with various configurations (e.g. SSL, proxy, etc).

Individually, both seem to function fine- no obvious errors I can detect. However, when I point OneCloud to CODE, I’ll get a variant of this no matter what I try: Selecting “Office” brings up sample docs, but editing anything (e.g. doubleclicking an example document) will return a window with Chrome all mad at it, blocking something.

Going to the console window, a more useful error appears:

jquery.js:3761 Refused to frame ‘htt#s://{mywebsite}/loleaflet/a937747/loleaflet.html?WOPISrc=htt#s%3A%2F%2F{mywebsite}%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F47_ockc6j2ydjgv_0_0&title=New%20Document%20(2).odt&lang=en&closebutton=1&revisionhistory=1’ because it violates the following Content Security Policy directive: “frame-src htt#:// blob:”.

I’ve tried various ways of trying to make this work- like pointing to proxy (as documented) vs localhost, SSL and no SSL, setting FRAME_ANCESTORS in loolwsd.cfg (possibly incorrectly, as I can’t find an example), futzing with SERVER_NAME and fudging the proxy config in apache to support it, and so forth… and while I can change what shows up, in the end, I can’t find a configuration where whatever window is being blocked is the close enough to the hostname as the source window that the browser doesn’t call foul (assuming that’s the problem).

Using the SERVER_NAME and adding a “fake” subdirectory (e.g. Easy Website Builder | Web Hosting Included | Ownwebsite.com), defining that directory in the Apache proxy config (e.g. “ProxyPassReverse /code/loleaflet htt#s://”) got the closest, but a significant number of stylesheets and JS files did not respect the addition, and failed.

I’ve looked over this like 20 times now, is there something simple I’m missing? If I installed CODE on a different server entirely, I’d fathom I’d still have the same problem.