Content Securty Policy

I’m integrating the Web SDK into an existing web project that utilizes a Content Security Policy to restrict what gets run on the page. In the process of development, I’ve noticed that the SDK requires these additional directives:

connect-src: *.zoom.us zoom.us wss://*.zoom.us
font-src: 'data:'
script-src: *.zoom.us zoom.us 'unsafe-eval'
worker-src: 'blob:'

Am I missing any other URLs or directives that are required by the library?

Hi @sdenardi,

Are you using our WebSDK sample-web-app or the npm module?

I’m using the npm module in an existing project that uses CSP headers.

WebSDK use Global CDN source.zoom.us or dmogdx0jrul3u.cloudfront.net
China CDN jssdk.zoomus.cn
to solve the dependencies.

https://github.com/zoom/zoomus-jssdk/tree/master/dist it contain all css. font, js and wasm files. same as https://www.npmjs.com/package/zoomus-jssdk
https://zoom.github.io/sample-app-web/ZoomMtg.html#setZoomJSLib the api use to change the dependencies location.

// ZoomMtg.setZoomJSLib('https://dmogdx0jrul3u.cloudfront.net/1.5.1/lib', '/av'); // CDN version default
// ZoomMtg.setZoomJSLib('https://source.zoom.us/1.5.1/lib', '/av'); // Global use source.zoom.us
// ZoomMtg.setZoomJSLib('https://jssdk.zoomus.cn/1.5.1/lib', '/av'); // China use jssdk.zoomus.cn   

the communication use wss://*.zoom.us (not include china)
so I think if you use source.zoom.us, you CSP configuration is right.
Thanks

1 Like

Hey there @JackYang & @Michael_Purnell, my name is Spencer. I hope this message finds you well.

My company is currently trying to integrate the Zoom Web SDK into our SPA and need to configure CSP using nginx.

Context
We have a functioning video chat when running locally, but as soon as we deployed the feature to our upper environments (which are all running on a higher level security protocol / HTTPS) we found a slew of CSP errors in our console. We found this thread and attempted addressing the CSP issues. Up to this point, we have updated our headers several times to allow all necessary Zoom connections, but to no avail. Below you can see our current CSP header taken from our security.conf file (nginx):

add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'; connect-src 'self' *.zoom.us zoom.us wss://*.zoom.us; font-src 'self' 'data:'; script-src 'self' *.zoom.us zoom.us 'unsafe-eval'; worker-src 'self' 'blob:'" always;

The Errors
With the update above, we now have other CDN’s being blocked and a variety of different CSP complaints in our Chrome Browser console:

Our Ask
Do you have a recommendation forward for configuring CSP in nginx for the Zoom Web SDK that won’t create issues with our other CDN’s?

Thanks so much in advanced and looking forward to hearing from you! :blush:

Hey @spencermarx, thanks for posting and using Zoom!

Looks like those errors aren’t coming from the Web SDK.

Are you using the Local Version or CDN Version of the Web SDK?

Thanks,
Tommy

That is correct. They are CSP errors output by the browser. We actually resolved this by reconfiguring our nginx security.config file. My apologies for the delay in response, it’s been a busy week for us.

Thank you @tommy for taking a look at this :blush:

Best,
Spencer Marx

1 Like

Happy to help! Glad you got it resolved!

Please due note the current status of the Web SDK:

We are working to get the Zoom Web Client and Zoom Web SDK back online. Please keep up with our status page for detailed updates: status.zoom.us


The best workaround is to use the Zoom Desktop / Mobile app.

Just include the Zoom meeting join url (https://zoom.us/j/meetingID) on your site rather than showing the websdk / iframe. Clicking on the join url will open the Zoom meeting in the Zoom app.

Apologies for the inconvenience,
Tommy

1 Like