Question How to set Contents Security Policy

[Zoo3]

I'm trying to open Mattermost on Nextcloud (use external site app).
I have been blocked there by the Contents Security Policty(CSP).

I wrote the following on Nextcloud nginx.

add_header Content-Security-Policy "frame-src MATTERMOST-URL";
add_header X-Frame-Options "allow-from https://MATTERMOST-URL";

*When I added default-src to CSP, the behavior of Nextcloud became strange.

But there is no change. So I changed the above "MATTTERMOST-URL" to "server IP address". Furthermore, I added the port number of mattermost. In this case, the error disappeared from the browser and became blank. And if I change X-Frame-Options, there is no change at all.

I managed Nextcloud with Plesk, Mattermost outside Plesk. The MariaDB and site settings used by Mattermost were set by Plesk, but nginx is directly added to nginx.conf. When I built Mattermost on Plesk, I struggled with Mattermost's proxy_pass settings. Will I need to think again by specifying a URL? Mattermost could not run without reading the Mattermost nginx prior to the Plesk-generated nginx. (Mattermost's nginx needs to be readable prior to nginx by Plesk.)

I tried to describe the following for Mattermost's nginx.

add_header Content-Security-Policy "frame-src NEXTCLOUD-URL";
add_header X-Frame-Options "allow-from https://NEXTCLOUD-URL";

Even this will be blocked by CSP.
I no longer know which to set, I am CSP or X-Frame-Options.

Please tell me how to avoid CSP.

Regards,

---
CentOS 7.6, Nginx 1.14.2, PHP7.3.3, Plesk 17.8.11