Livechat Script on remote domain

After updating to Rocket.Chat 3.3.3 on my own hosted server the Script for Livechatting wasn’t shown on my site at another domain.

The browser console informed me:
Refused to display xxxxx in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.

I added:
Header set X-Frame-Options “ALLOW-FROM xxxxx”
to httpd.conf and now the Script was working but got this information in the browser console:
Invalid ‘X-Frame-Options’ header encountered when loading xxxxx/livechat’: ‘ALLOW-FROM xxxxx’ is not a recognized directive. The header will be ignored.

Changed httpd.conf to:
Header set X-Frame-Options ALLOWALL
And now the Script is working from Safari, Firefox and Edge (Chromium) and no warning or errors regarding this in the console. But I understand that there is a security risk involved with this directive.

Does anyone have a better solution? And why has this changed in Rocket.Chat 3.3? Thanks.

Server Setup Information

  • Rocket.Chat Server 3.3.3
  • CentOS 7.8
  • Apache 2.4.6
  • NodeJS 12.14
  • MongoDB 4.0.19