From ef77a2120bfc73bae0ddb6dd8419b050fbb5adc7 Mon Sep 17 00:00:00 2001
From: Renato Becker <renato.augusto.becker@gmail.com>
Date: Fri, 1 May 2020 13:31:08 -0300
Subject: [PATCH] [FIX] Replace obsolete X-FRAME-OPTIONS header on Livechat
 route (#17419)

Replace deprecated X-FRAME-OPTIONS header by Content-Security-Policy.

Co-authored-by: Marcos Spessatto Defendi <marcos.defendi@ulbra.inf.br>
---
 app/livechat/server/livechat.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/livechat/server/livechat.js b/app/livechat/server/livechat.js
index a60126beda7f..7e81220805a8 100644
--- a/app/livechat/server/livechat.js
+++ b/app/livechat/server/livechat.js
@@ -26,11 +26,11 @@ WebApp.connectHandlers.use('/livechat', Meteor.bindEnvironment((req, res, next)
 
 		const referer = url.parse(req.headers.referer);
 		if (!_.contains(domainWhiteList, referer.host)) {
-			res.setHeader('X-FRAME-OPTIONS', 'DENY');
+			res.setHeader('Content-Security-Policy', 'frame-ancestors \'none\'');
 			return next();
 		}
 
-		res.setHeader('X-FRAME-OPTIONS', `ALLOW-FROM ${ referer.protocol }//${ referer.host }`);
+		res.setHeader('Content-Security-Policy', `frame-ancestors ${ referer.protocol }//${ referer.host }`);
 	}
 
 	res.write(indexHtmlWithServerURL);