Content Securty Policy

I’m integrating the Web SDK into an existing web project that utilizes a Content Security Policy to restrict what gets run on the page. In the process of development, I’ve noticed that the SDK requires these additional directives:

connect-src: * wss://*
font-src: 'data:'
script-src: * 'unsafe-eval'
worker-src: 'blob:'

Am I missing any other URLs or directives that are required by the library?

Hi @sdenardi,

Are you using our WebSDK sample-web-app or the npm module?

I’m using the npm module in an existing project that uses CSP headers.

WebSDK use Global CDN or
China CDN
to solve the dependencies. it contain all css. font, js and wasm files. same as the api use to change the dependencies location.

// ZoomMtg.setZoomJSLib('', '/av'); // CDN version default
// ZoomMtg.setZoomJSLib('', '/av'); // Global use
// ZoomMtg.setZoomJSLib('', '/av'); // China use   

the communication use wss://* (not include china)
so I think if you use, you CSP configuration is right.

1 Like