fix: Livechat CSP whitelist validation (#29278)

RocketChat · May 18, 2023 · 1702461 · 1702461
1 parent 3ad30b4
commit 1702461
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/.changeset/mean-bottles-work.md b/.changeset/mean-bottles-work.md
@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+fixes the Livechat CSP validation, which was incorrectly blocking access to the widget for all non whitelisted domains
diff --git a/apps/meteor/app/livechat/server/livechat.ts b/apps/meteor/app/livechat/server/livechat.ts
@@ -21,7 +21,7 @@ WebApp.connectHandlers.use('/livechat', (req, res, next) => {
 
 	const domainWhiteListSetting = settings.get<string>('Livechat_AllowedDomainsList');
 	let domainWhiteList = [];
-	if (req.headers.referer && !domainWhiteListSetting.trim()) {
+	if (req.headers.referer && domainWhiteListSetting.trim()) {
 		domainWhiteList = domainWhiteListSetting.split(',').map((domain) => domain.trim());
 
 		const referer = url.parse(req.headers.referer);