diff --git a/changelog/unreleased/fix-csp-silent-refresh.md b/changelog/unreleased/fix-csp-silent-refresh.md
new file mode 100644
index 00000000000..3b6f338d371
--- /dev/null
+++ b/changelog/unreleased/fix-csp-silent-refresh.md
@@ -0,0 +1,6 @@
+Bugfix: CSP rules for silent token refresh in iframe
+
+When renewing the access token silently web needs to be opened in an iframe. This was previously blocked by a restrictive iframe CSP rule in the `Secure` middleware and has now been fixed by allow `self` for iframes.
+
+https://github.com/owncloud/ocis/pull/4031
+https://github.com/owncloud/web/issues/7030
diff --git a/services/web/pkg/middleware/silentrefresh.go b/services/web/pkg/middleware/silentrefresh.go
index 84fb50934bf..fa2033fc318 100644
--- a/services/web/pkg/middleware/silentrefresh.go
+++ b/services/web/pkg/middleware/silentrefresh.go
@@ -8,6 +8,7 @@ import (
 func SilentRefresh(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-Frame-Options", "SAMEORIGIN")
+		w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'")
 		next.ServeHTTP(w, r)
 	})
 }