Failed to set content security policy CSP

Community Support
1

Description

I have rocket.chat docker image on premise
I want to enable embedd omnichannel liveChat widget:

Chrome Console says: Refused to frame ‘h…ttp://my-linux:3000/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘none’”.

Chrome Network tab has this Http Response Header:
HTTP GET h…ttp://my-linux:3000/livechat
Content-Security-Policy: frame-ancestors ‘none’

(hint: its actually http not h…ttp. forum doesnt allow me to post 3+ hyperlinks)

I tried to disable CSP in admin:
image
same effect

Server Setup Information

  • Version of Rocket.Chat Server:
  • Operating System:
  • Deployment Method:
  • Number of Running Instances:
  • DB Replicaset Oplog:
  • NodeJS Version:
  • MongoDB Version:
  • Proxy:
  • Firewalls involved:

Any additional Information

2

I have found the problem with help of the source code:

HTTP Request Header:
Referer: http://localhost:4200/

Admin>Omnichannel>Livechat>Livechat_AllowedDomainsList
did contain the value: localhost
→ FAILS

it works when the port is included like
Livechat_AllowedDomainsList=localhost:4200

basically I think the port is not part of the domain. But in 99% this wont be a problem except for local development. I suggest the port should be stripped as well