Unable to load livechat since updating to 3.3.0 due to X-Frame-Options: sameorigin

[jakguru]

Description:

Today I updated my server from 2.9.x to 3.3.0. After finishing the upgrade, I navigated to one of the websites which utilizes the Live Chat (now Omnichat) integration, only to find a grey square (of an iframe which didn't load) where the Live Chat button should have been. I looked in the console and found an error caused by the X-Frame-Options: sameorigin header.

I tried specifically adding the hostname of the website(s) which utilize the Livechat, but that did not make any difference. I confirmed that the issue was caused by Rocket Chat and not by an intermediary by running a curl request directly from the server:

curl -v http://localhost:3000/livechat

Which responded with:

*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3000 (#0)
> GET /livechat HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< X-XSS-Protection: 1
< X-Frame-Options: sameorigin
< X-Instance-ID: mpXqru2q2qES9pnw7
< content-type: text/html; charset=utf-8
< Vary: Accept-Encoding
< Date: Fri, 29 May 2020 20:03:59 GMT
< Connection: keep-alive
< Transfer-Encoding: chunked

Note: I have been able to mitigate the issue through the use of Cloudflare's Workers, which allows me to remove the header. This does resolve the issue, however I would prefer to not have to pay the $5/month to ensure that my self-hosted livechat is working correctly.

Steps to reproduce:

1. From the machine hosting Rocket Chat, make a verbose curl request:

curl -v http://localhost:3000/livechat

Expected behavior:

If there are domains configured, then the X-Frame-Options should reflect those domains. Otherwise it should not be present

Actual behavior:

X-Frame-Options: sameorigin is returned

Server Setup Information:

• Version of Rocket.Chat Server: 3.3.0
• Operating System: Linux
• Deployment Method: DigitalOcean
• Number of Running Instances: 1
• DB Replicaset Oplog: Enabled
• NodeJS Version: v12.16.1
• MongoDB Version:

[renatobecker]

@jakguru let me get this straight..
So, you're trying to reach the URL -> http://localhost:3000/livechat from one of your websites, is that correct?

Also, have you set up the following setting?

I'll be waiting for your feedback.

[jakguru]

@jakguru let me get this straight..
So, you're trying to reach the URL -> http://localhost:3000/livechat from one of your websites, is that correct?

Also, have you set up the following setting?

I'll be waiting for your feedback.

No, that is not correct. I'm trying to reach https://{domain}/livechat from one of my websites, and i'm getting an error on the console about being unable to load an iframe due to the X-Frame-Options header returning a value of sameorigin.

In order to ensure that the issue was caused by the application and not by any intermediary service such as a reverse proxy, i ran the curl request from the command line of the server which hosts the application.

[jakguru]

@jakguru let me get this straight..
So, you're trying to reach the URL -> http://localhost:3000/livechat from one of your websites, is that correct?

Also, have you set up the following setting?

I'll be waiting for your feedback.

Also, I've tried the "Livechat Allowed Domains" option and it didn't change anything, even after clearing cache and cookies in the browser (or just making a fresh curl request).

[renatobecker]

It seems like the setting below is impacting on your environment:

[jakguru]

It seems like the setting below is impacting on your environment:

Shouldn't those settings be ignored for the livechat, since it MUST be loaded from within an iframe?

[usamamashkoor]

@jakguru Did you find any solution for this, I am facing the same issue here?

[pazande]

@jakguru Did you find any solution for this, I am facing the same issue here?

I disable de option "Restrict access inside any Iframe" and refresh the page with my widget and works fine.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[dlecan]

thank you @pazande, I had the same issue, but only on Brave browser (see RocketChat/Rocket.Chat.Livechat#531).
I have disabled the option "Restrict access inside any Iframe" and have refreshed the page with my widget and it works fine now.

EDIT: wrong testing, it still doesn't work

[y377]

First you need to determine your Web server type and add the correct headers.
For example, in Nginx, the correct header is: 'add_header x-frame-options https://www.ssl360.cn'
Never use punctuation marks. Like ";"

[y377]

Refer to the consequences of punctuatingbug

[pawelbura]

@jakguru let me get this straight.. So, you're trying to reach the URL -> http://localhost:3000/livechat from one of your websites, is that correct?

Also, have you set up the following setting?

I'll be waiting for your feedback.

Thanks! It works for me.
For me it seems, that it works a bit different than in this description: if X-Frame-Option is set to sameorigin, empty "Livechat Allowed Domains" blocks chat on any domain.

So my working setup is: X-Frame-Option enabled and set to sameorigin + "Livechat Allowed Domains" set to domain name (without "http://", just name).

And it works!