I’m integrating the Web SDK into an existing web project that utilizes a Content Security Policy to restrict what gets run on the page. In the process of development, I’ve noticed that the SDK requires these additional directives:
// ZoomMtg.setZoomJSLib('https://dmogdx0jrul3u.cloudfront.net/1.5.1/lib', '/av'); // CDN version default
// ZoomMtg.setZoomJSLib('https://source.zoom.us/1.5.1/lib', '/av'); // Global use source.zoom.us
// ZoomMtg.setZoomJSLib('https://jssdk.zoomus.cn/1.5.1/lib', '/av'); // China use jssdk.zoomus.cn
the communication use wss://*.zoom.us (not include china)
so I think if you use source.zoom.us, you CSP configuration is right.
Thanks
My company is currently trying to integrate the Zoom Web SDK into our SPA and need to configure CSP using nginx.
Context
We have a functioning video chat when running locally, but as soon as we deployed the feature to our upper environments (which are all running on a higher level security protocol / HTTPS) we found a slew of CSP errors in our console. We found this thread and attempted addressing the CSP issues. Up to this point, we have updated our headers several times to allow all necessary Zoom connections, but to no avail. Below you can see our current CSP header taken from our security.conf file (nginx):
That is correct. They are CSP errors output by the browser. We actually resolved this by reconfiguring our nginx security.config file. My apologies for the delay in response, it’s been a busy week for us.
The best workaround is to use the Zoom Desktop / Mobile app.
Just include the Zoom meeting join url (https://zoom.us/j/meetingID) on your site rather than showing the websdk / iframe. Clicking on the join url will open the Zoom meeting in the Zoom app.