[Chrome] Shared array buffer + web isolation + 3rd solution integration : COEP Credentialless to the rescue

Hi,

This topic is just to share some potentially useful information for anyone facing integration issue for web isolation with their 3rd party solutions.
Could also be useful for you Zoom’s support, to recommend the use of the COEP credentialless origin trial for people who cannot implement web isolation yet.

[Problem recap]
For people who did not follow such topic, and to quickly recap the problematic situation:

  • the Zoom Web SDK requires the shared array buffer features for the video to work
  • the shared array buffer features is going to require the web isolation to be active
  • the current origin trial to let the shared array buffer continue to work without the web isolation will end soon. This has recently been postponed to Chrome 96 - almost end of the year to buy some time, but still.

If in your application you are using any 3rd party solution that is not yet compliant with web isolation (returning the expected CORP headers in their response when you interact with their services), then you cannot implement the web isolation in your application.

In such situation, this means you would either loose the video on Zoom or have to remove the use of such 3rd : quite dramatic…

As an example, in our situation, we are using some Datadog packages (Web browser logs, RUM) to monitor our end user. (logs, RUM, traces) And Datadog services are not yet compliant with CORP. On our request they are currently working on it, but this would not be delivered before Q4 this year.
This mean either we loose the video on Zoom inside our application, or we loose our end user monitoring. None is acceptable.

If you are in such situation, you better start to contact your 3rd party solution company.

[COEP Credentialless to the rescue]

This is the situation, but good news, Google recently announced the release of a new origin trial that will enable us to activate web isolation without being fully compliant with CORP.
I’ll pass the details and let you read the few lines available here in case you want to understand how it’s going to release us from that burden.

The interesting part for this topic is the following paragraph:

[Conclusion]

So for any people facing the same situation as us, applying & using this new origin trial will buy you some time to be fully CORP compliant on your application. As i mentioned, if you have any 3rd party vendor that did not opt-in web isolation yet, you should also request them to do it.
It should definitely not be considered as a final solution and google mentioned it, it’s just to offer some time to any solution to opt-in.

It will at least unlock the current situation with the requirements made by the Web SDK.

Chrome 93 beta is already there is you want to test it.
Feel free to share you opinion / remarks if you have any.

:anguished:

What a joke… ending the new origin trial before the shared array buffer one.
Hope they are going to extend it, or really make it GA feature right after.

Hey @nvivot,

Thank you for sharing your knowledge here and for bringing this to our attention! I’ll talk with our team and see how we are preparing for this.

I’ll let you know what I hear.

Thanks,
Max

Hi @MaxM,

Do you have an update about the credentialless origin trial? Will it be supported by Zoom?

We have already tested our app on Chrome 92 and 93 with the following setup.

  • Credentialless Origin Trial - Enabled
  • SharedArrayBuffer Origin Trial - Disabled
  • Web SDK Version - 1.9.7

Here are our test results:

  1. On chrome 92, as expected video did not work since credentialless is only supported from Chrome v.93
  2. On chrome 93, the video worked but we saw the following error message.

So, our question is, will Zoom support/recommend using the credentialless origin trial as well as one solution for the Web Isolation issue?

Looking forward to your soonest reply.

Regards,
Lara

@lfrancia I haven’t had anyone follow up on this just yet. I’ll check back in with our Web SDK to see what their thoughts are. With version 1.9.8 we did make some adjustments for Chrome 93 but I’m not sure that we are accounting for the credentialess trial.

Max

Hi @MaxM,

Thank you for your reply.
We will wait for the update regarding credentialless origin trial then.

Regards,
Lara

Hey @lfrancia,

No word yet but I’ll get back to you when I know more.

Thanks,
Max