Cookie blocked and login to Zoom is not possible after the updating to Chrome version 80.0.3987.132

Description
A cookie associated with a cross-site resource at “zdassets.com” was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies

Error
VM542 vendors~web_widget.9db531c7c53d2d8b8886.chunk.js:149 GET zoomus.zendesk.com/embeddable_blip?type=pageView&data=eyJwYWdlVmlldyI6eyJyZWZlcnJlciI6Imh0dHBzOi8vem9vbS51cy93Yy9qb2luLzQyODAxNDY3OCIsInRpbWUiOjgyLCJsb2FkVGltZSI6bnVsbCwibmF2aWdhdG9yTGFuZ3VhZ2UiOiJlbi1VUyIsInBhZ2VUaXRsZSI6IlRoZSBtZWV0aW5nIGhhcyBub3Qgc3RhcnRlZCAtIFpvb20iLCJ1c2VyQWdlbnQiOiJNb3ppbGxhLzUuMCAoWDExOyBMaW51eCB4ODZfNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS84MC4wLjM5ODcuMTMyIFNhZmFyaS81MzcuMzYiLCJpc01vYmlsZSI6ZmFsc2UsImlzUmVzcG9uc2l2ZSI6dHJ1ZSwidmlld3BvcnRNZXRhIjoid2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIG1pbmltdW0tc2NhbGU9MS4wIiwiaGVscENlbnRlckRlZHVwIjpmYWxzZX0sImJ1aWQiOiIxZjU3ODJlZDE5MzI5OWJiZDFiYjQ2NWEwMjA5NmI3OSIsInN1aWQiOiIyYWQ1NDAxOWMzMmE0NWUyZjM4ODI1NjZlYjBlYWM3YSIsInZlcnNpb24iOiI1ZmE0OWYwMzMiLCJ0aW1lc3RhbXAiOiIyMDIwLTAzLTEzVDE1OjU1OjIzLjU2M1oiLCJ1cmwiOiJodHRwczovL3pvb20udXMvd2Mvam9pbi80MjgwMTQ2NzgifQ%3D%3D net::ERR_BLOCKED_BY_CLIENT

Which App Type (OAuth / Chatbot / JWT / Webhook)?
It’s happening in the current version of the Chrome browser

Screenshots (If applicable)

Additional context
Showing the Zoom meeting window in an Iframe was working fine before the recent Chrome update. Now it is not possible to sign in into a Zoom account and continue the meeting because the Iframe is not able to detect the login due to a cross-site resource cookie blocking in the recent Chrome version

Hey @elearningevolve, thanks for posting and using Zoom!

What URL are you trying to embed into an iFrame?

This method should still work:

Thanks,
Tommy

We were using https://zoom.us/wc/meeting id and it was just working fine before this Chrome update but now it’s not working. Tried the variations that you mentioned but still the same issue. Can you please test with the latest Chrome update and Iframe embed at your end.

The recent Chrome update has completely broken the usage of Iframe to embed zoom meeting on a page. Even the meeting join from browser is not working after the update with this snippet

<iframe src="https://zoom.us/j/442073002 ... It says, The Content Security Policy 'default-src blob: 'self'; script-src 'unsafe-eval' 'unsafe-inline' blob: https://*.50million.club https://*.adroll.com https://*.cloudfront.net https://*.google.com https://*.hotjar.com https://*.zoom.us https://*.zoomus.cn https://*.zopim.com https://ad.lkqd.net https://ajax.aspnetcdn.com https://apiurl.org https://appsforoffice.microsoft.com https://assets.zendesk.com https://bat.bing.com https://cdn.5bong.com https://cdn.jsdelivr.net https://cdncache-a.akamaihd.net https://code.jquery.com https://connect.facebook.net https://consent.trustarc.com https://extnetcool.com https://fp166.digitaloptout.com https://googleads.g.doubleclick.net https://intljs.rmtag.com https://pi.pardot.com https://px.ads.linkedin.com https://ruanshi2.8686c.com https://rum-static.pingdom.net https://s.dcbap.com https://s.yimg.com https://s.ytimg.com https://s3.amazonaws.com https://scout-cdn.salesloft.com https://sealserver.trustwave.com https://secure-cdn.mplxtms.com https://secure.myshopcouponmac.com https://snap.licdn.com https://sp.analytics.yahoo.com https://srvvtrk.com https://static.zdassets.com https://static2.sharepointonline.com https://tag.demandbase.com https://tpc.googlesyndication.com https://tracking.g2crowd.com https://translate.googleapis.com https://trk.techtarget.com https://unpkg.com https://www.comeet.co https://www.dropbox.com https://www.google-analytics.com https://www.googleadservices.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'self'; img-src https://* blob: data: 'self'; style-src https://* 'unsafe-inline' 'self'; font-src https://* data: 'self'; connect-src * data: 'self'; media-src * blob: 'self'; frame-src https://* ms-appx-web://* zoommtg://* zoomus://* 'self'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header. ![image|689x393](upload://xA2IIdBW76AB3ncFO2KyPfarBK4.png) ![image|689x393](upload://sg7att4OiZB9s3Ra9rAxpzbWgzO.png) <p>Please look into this because the plugin we created was entirely depending on the Iframe embed to allow zoom meetings on a web page and the functionality is completely non-workable now.</p>

Hey @elearningevolve,

Can you share your iFrame code so I can try to reproduce the issue.

Thanks,
Tommy

Tried all the variations and the issue is the same for all of them

<iframe allowfullscreen scrolling="no" allow="microphone; camera" src="https://zoom.us' . '/wc/join/meeting_id" frameborder="0"></iframe>

<iframe allowfullscreen scrolling="no" allow="microphone; camera" src="https://zoom.us' . '/j/meeting_id" frameborder="0"></iframe>

<iframe allowfullscreen scrolling="no" allow="microphone; camera" " src="https://zoom.us/wc/meeting_id/join?prefer=1&pwd=Nm9iRDBROXFiT2NYMytDb3VjUjZtUT09&&un=zhangc" allow="microphone;camera"  sandbox="allow-forms allow-scripts allow-same-origin"   frameborder="0"></iframe>

<iframe allowfullscreen scrolling="no" allow="microphone; camera" " src="https://zoom.us/wc/meeting_id/join?prefer=1&pwd=Nm9iRDBROXFiT2NYMytDb3VjUjZtUT09&&un=zhangc" allow="microphone;camera"  sandbox="allow-forms allow-scripts"   frameborder="0"></iframe>

Hey @elearningevolve,

It is working fine for me.

Here is the iFrame code I am using:

<iframe src="https://zoom.us/wc/MEETING_ID/join?prefer=1&un=bmFtZQ==" width="1000px" height="500px" sandbox="allow-same-origin allow-forms allow-scripts" allow="microphone; camera"></iframe>

Try using the above code.

Thanks,
Tommy

So here is the problem,

  1. the iframe that you mentioned works only incase we need to skip the enter name screen before join, so if I remove the prefer=1 and un to allow the user to enter their name and join it does not allow the user to join as the button does not work.
  2. If the user is the host of the meeting and has to sign in first to start the meeting the iframe shown above does not allow the host to sign in and start the meeting as the host. The sign-in page loads again if the host is trying to sign in.

Hey @elearningevolve,

I tried your links, and they also worked for me using Chrome version 80.0.3987.132:

<iframe allowfullscreen scrolling="no" allow="microphone; camera" src="https://zoom.us/wc/join/meeting_id" frameborder="0"></iframe>

<iframe allowfullscreen scrolling="no" allow="microphone; camera" src="https://zoom.us/j/meeting_id" frameborder="0"></iframe>

<iframe allowfullscreen scrolling="no" allow="microphone; camera" src="https://zoom.us/wc/meeting_id/join?prefer=1&pwd=Nm9iRDBROXFiT2NYMytDb3VjUjZtUT09&&un=zhangc"  sandbox="allow-forms allow-scripts allow-same-origin"   frameborder="0"></iframe>

<iframe allowfullscreen scrolling="no" allow="microphone; camera" src="https://zoom.us/wc/meeting_id/join?prefer=1&pwd=Nm9iRDBROXFiT2NYMytDb3VjUjZtUT09&&un=zhangc"  sandbox="allow-forms allow-scripts allow-same-origin"   frameborder="0"></iframe>

Have you tried using the start_url in the src attribute of the iFrame? It will sign you in automatically.

Thanks,
Tommy

Hello, first time post here.
I am getting the same problem when I am trying to launch a custom live streaming service.

I was able to launch it once, but after that (nothing changed on the other video streaming service) I am now always getting these same messages:

A cookie associated with a cross-site resource at was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and .

Any ideas here?

My Chrome Version is:

Version 80.0.3987.149 (Official Build) (64-bit)

Hey @cvuljanic, thanks for posting and using Zoom!

Can you provide more details like your code, screenshots, and steps to reproduce the issue?

Thanks,
Tommy

Hi Tommy,
We are experiencing the same issue and believe it’s related to Chrome’s new SameSite cookie policy. The reason why it might work for you is that Google is rolling this feature gradually to all users. Currently some users may not be able to load Zoom web client in an iFrame while others will, but as Google continues to rollout the change we think everyone will eventually be unable to load Zoom web client in an iFrame.
If you want to reproduce it in your Chrome browser, you can go to chrome://flags and enable this two specific flags:

  • SameSite by default cookies
  • Cookies without SameSite must be secure
    If you set them to “Enable”, you should be able to reproduce it with the examples that were shared to you before.
    Let me know if I can provide more info to help solve this!

Hey @hernantorrisi,

Thanks for sharing these details, however I still am unable to reproduce the issue.

Chrome: Version 80.0.3987.149 (Official Build) (64-bit)

<!DOCTYPE html>
<html lang="en" dir="ltr">
  <head>
    <meta charset="utf-8">
    <title>iFrame</title>
  </head>
  <body>
    <iframe src="https://zoom.us/wc/{MEETINGID}/join?prefer=1&un=bmFtZQ==" width="1000px" height="500px" sandbox="allow-same-origin allow-forms allow-scripts" allow="microphone; camera"></iframe>
  </body>
</html>

-Tommy

Hi Tommy, I have created a codepen that reproduces the issue.
https://codepen.io/airnan/pen/f7a5e8da549cb0e48b4178eab897f5a7
The only difference with your example is that I’m setting the src to /start instead of /join which requests me to sign in before joining.
Can you try signing in in my demo or change join to start in yours? Once you enter your username and password, it should redirect you again to the sign in page.
Also, after setting the flags in Chrome, can you relaunch the browser if you didn’t in your last attempt?
Thanks again for checking this out!

Hey @hernantorrisi,

Starting meetings is not supported inside an iFrame, unless you sign in. That is the designed functionality.

Thanks,
Tommy

@tommy yes, that was my understanding about it. But right now you can’t login inside an iframe in Chrome because of the Google’s update on their cookies policy that they are gradually rolling out.
If you try to login on my demo, you’ll see you won’t be able to do it.

2 Likes

I think what @hernantorrisi is experiencing is due to the new Google Chrome SameSite cookie policy (which is still rolling out to some users). Due to SameSite, he says you cannot launch a Zoom session from within an iframe even AFTER logging in. It impacts users that have already had SameSite enabled in their browser, but that seems to be a large percentage of Chrome users.

Based on your answer in this thread (Web SDK Can't Join as Host) the only way for a host to launch a Zoom session from within their browser via a third-party application is to use an iframe. However, due to Chrome SameSite, the iframe solution is broken for many many Chrome users. You can validate the error by forcing your Chrome SameSite flags to enabled and testing with the codepen posted above.

Hey @hernantorrisi, correct.

To start the webinar, please use the start url (not inside an iFrame) or start it in the Zoom App or Zoom Web Portal

Thanks,
Tommy

Hey @johne, thanks for sharing these details.

We are aware of these changes coming within chrome, and always recommend using the officially supported Web SDK over an iFrame.

-Tommy

@tommy Thanks for your info.
I’ll try to summarize what I’ve been gathering.
For our intended integration with zoom:

  • we can’t use the SDK because, in our scenario, we want 3rd party users to host the session which is not possible, as you explained here: Web SDK Can't Join as Host
  • we can’t use an iframe in Chrome because of Google’s new SameSite cookie policy

So for now, until Chrome’s issue is addressed on your side, we’ll have to wait.
Would that be a good explanation of the current state of things?

Thanks for your patience and help in advance.