RocketChat · kodiakhq · Apr 2, 2024 · Apr 2, 2024
diff --git a/apps/meteor/app/cors/server/cors.ts b/apps/meteor/app/cors/server/cors.ts
@@ -16,14 +16,28 @@
 
 const logger = new Logger('CORS');
 
+let templatePromise: Promise<void> | void;
+
+declare module 'meteor/webapp' {
+	// eslint-disable-next-line @typescript-eslint/no-namespace
+	namespace WebApp {
+		function setInlineScriptsAllowed(allowed: boolean): Promise<void>;
+	}
+}
+
 settings.watch<boolean>(
 	'Enable_CSP',
-	Meteor.bindEnvironment((enabled) => {
-		WebAppInternals.setInlineScriptsAllowed(!enabled);
+	Meteor.bindEnvironment(async (enabled) => {
+		templatePromise = WebAppInternals.setInlineScriptsAllowed(!enabled);
 	}),
 );
 
-WebApp.rawConnectHandlers.use((_req: http.IncomingMessage, res: http.ServerResponse, next: NextFunction) => {
+WebApp.rawConnectHandlers.use(async (_req: http.IncomingMessage, res: http.ServerResponse, next: NextFunction) => {
+	if (templatePromise) {
+		await templatePromise;
+		templatePromise = void 0;
+	}
+
 	// XSS Protection for old browsers (IE)
 	res.setHeader('X-XSS-Protection', '1');
 
@@ -158,7 +172,7 @@

 	const isLocal =
 		localhostRegexp.test(remoteAddress) &&
 		(!req.headers['x-forwarded-for'] || _.all((req.headers['x-forwarded-for'] as string).split(','), localhostTest));
 	// @ts-expect-error - `pair` is valid, but doesnt exists on types
 	const isSsl = req.connection.pair || (req.headers['x-forwarded-proto'] && req.headers['x-forwarded-proto'].indexOf('https') !== -1);