Content Securty Policy

I’m integrating the Web SDK into an existing web project that utilizes a Content Security Policy to restrict what gets run on the page. In the process of development, I’ve noticed that the SDK requires these additional directives:

connect-src: *.zoom.us zoom.us wss://*.zoom.us
font-src: 'data:'
script-src: *.zoom.us zoom.us 'unsafe-eval'
worker-src: 'blob:'

Am I missing any other URLs or directives that are required by the library?

Hi @sdenardi,

Are you using our WebSDK sample-web-app or the npm module?

I’m using the npm module in an existing project that uses CSP headers.

WebSDK use Global CDN source.zoom.us or dmogdx0jrul3u.cloudfront.net
China CDN jssdk.zoomus.cn
to solve the dependencies.

https://github.com/zoom/zoomus-jssdk/tree/master/dist it contain all css. font, js and wasm files. same as https://www.npmjs.com/package/zoomus-jssdk
https://zoom.github.io/sample-app-web/ZoomMtg.html#setZoomJSLib the api use to change the dependencies location.

// ZoomMtg.setZoomJSLib('https://dmogdx0jrul3u.cloudfront.net/1.5.1/lib', '/av'); // CDN version default
// ZoomMtg.setZoomJSLib('https://source.zoom.us/1.5.1/lib', '/av'); // Global use source.zoom.us
// ZoomMtg.setZoomJSLib('https://jssdk.zoomus.cn/1.5.1/lib', '/av'); // China use jssdk.zoomus.cn   

the communication use wss://*.zoom.us (not include china)
so I think if you use source.zoom.us, you CSP configuration is right.
Thanks

1 Like