Hi dani. I just went through this myself tonight. What I did to solve was use security.conf to set the apporpriate Content-Security-Policy header and then in my apache2 virtual hosts file for Rocket.Chat I unset the Content-Security-Policy header.
Sounds a little backwards, but at least for me the issue was that somewhere the Content Security Policy directive: “frame-ancestors ‘none’” header was being set, as well as me purposefully setting the correct CSP frame ancestors header that includes the domain to embed the livechat widget on, but preference was being given to the CSP frame-ancestors ‘none’ line. unsetting the header in the virtual host seemed to remove the none header & the correct one was left alone just fine.
hope that helps & works for you or that you already resolved.
-brandon