After updating to Rocket.Chat 3.3.3 on my own hosted server the Script for Livechatting wasn’t shown on my site at another domain.
The browser console informed me:
Refused to display xxxxx in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.
I added:
Header set X-Frame-Options “ALLOW-FROM xxxxx”
to httpd.conf and now the Script was working but got this information in the browser console:
Invalid ‘X-Frame-Options’ header encountered when loading xxxxx/livechat’: ‘ALLOW-FROM xxxxx’ is not a recognized directive. The header will be ignored.
Changed httpd.conf to:
Header set X-Frame-Options ALLOWALL
And now the Script is working from Safari, Firefox and Edge (Chromium) and no warning or errors regarding this in the console. But I understand that there is a security risk involved with this directive.
Does anyone have a better solution? And why has this changed in Rocket.Chat 3.3? Thanks.
Server Setup Information
- Rocket.Chat Server 3.3.3
- CentOS 7.8
- Apache 2.4.6
- NodeJS 12.14
- MongoDB 4.0.19