RocketChat · rodrigok · Oct 18, 2019 · May 30, 2019 · Jun 3, 2019 · Sep 9, 2019
diff --git a/app/cors/server/cors.js b/app/cors/server/cors.js
@@ -57,6 +57,9 @@ WebApp.rawConnectHandlers.use(function(req, res, next) {
 	if (/^\/(api|_timesync|sockjs|tap-i18n)(\/|$)/.test(req.url)) {
 		res.setHeader('Access-Control-Allow-Origin', '*');
 	}
+	if (settings.get('Iframe_Restrict_Access')) {
+		res.setHeader('X-Frame-Options', settings.get('Iframe_X_Frame_Options'));
+	}
 
 	const { setHeader } = res;
 	res.setHeader = function(key, val, ...args) {
@@ -65,6 +68,7 @@ WebApp.rawConnectHandlers.use(function(req, res, next) {
 		}
 		return setHeader.apply(this, [key, val, ...args]);
 	};
+
 	return next();
 });
 

diff --git a/app/lib/server/startup/settings.js b/app/lib/server/startup/settings.js
@@ -756,6 +756,18 @@ settings.addGroup('General', function() {
 		type: 'boolean',
 		secret: true,
 	});
+	this.add('Iframe_Restrict_Access', true, {
+		type: 'boolean',
+		secret: true,
+	});
+	this.add('Iframe_X_Frame_Options', 'sameorigin', {
+		type: 'string',
+		secret: true,
+		enableQuery: {
+			_id: 'Iframe_Restrict_Access',
+			value: true,
+		},
+	});
 	this.add('Favorite_Rooms', true, {
 		type: 'boolean',
 		public: true,

diff --git a/packages/rocketchat-i18n/i18n/en.i18n.json b/packages/rocketchat-i18n/i18n/en.i18n.json
@@ -1581,6 +1581,10 @@
   "Iframe_Integration_send_enable_Description": "Send events to parent window",
   "Iframe_Integration_send_target_origin": "Send Target Origin",
   "Iframe_Integration_send_target_origin_Description": "Origin with protocol prefix, which commands are sent to e.g. 'https://localhost', or * to allow sending to anywhere.",
+  "Iframe_Restrict_Access": "Restrict access inside any Iframe",
+  "Iframe_Restrict_Access_Description": "This setting enable/disable restrictions to load the RC inside any iframe",
+  "Iframe_X_Frame_Options": "Options to X-Frame-Options",
+  "Iframe_X_Frame_Options_Description": "Options to X-Frame-Options. [You can see all the options here.](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Syntax)",
   "Ignore": "Ignore",
   "Ignored": "Ignored",
   "IMAP_intercepter_already_running": "IMAP intercepter already running",

diff --git a/server/startup/migrations/index.js b/server/startup/migrations/index.js
@@ -156,4 +156,5 @@ import './v155';
 import './v156';
 import './v157';
 import './v158';
+import './v159';
 import './xrun';
diff --git a/server/startup/migrations/v159.js b/server/startup/migrations/v159.js
@@ -0,0 +1,14 @@
+import { Migrations } from '../../../app/migrations';
+import { Settings } from '../../../app/models';
+
+// Enable iframe usage for existant RC installations.
+Migrations.add({
+	version: 159,
+	up() {
+		Settings.upsert({ _id: 'Iframe_Restrict_Access' }, {
+			$set: {
+				value: false,
+			},
+		});
+	},
+});