Description
A cookie associated with a cross-site resource at “zdassets.com” was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies
Additional context
Showing the Zoom meeting window in an Iframe was working fine before the recent Chrome update. Now it is not possible to sign in into a Zoom account and continue the meeting because the Iframe is not able to detect the login due to a cross-site resource cookie blocking in the recent Chrome version
We were using https://zoom.us/wc/meeting id and it was just working fine before this Chrome update but now it’s not working. Tried the variations that you mentioned but still the same issue. Can you please test with the latest Chrome update and Iframe embed at your end.
The recent Chrome update has completely broken the usage of Iframe to embed zoom meeting on a page. Even the meeting join from browser is not working after the update with this snippet
<iframe src="https://zoom.us/j/442073002 ...
It says,
The Content Security Policy 'default-src blob: 'self'; script-src 'unsafe-eval' 'unsafe-inline' blob: https://*.50million.club https://*.adroll.com https://*.cloudfront.net https://*.google.com https://*.hotjar.com https://*.zoom.us https://*.zoomus.cn https://*.zopim.com https://ad.lkqd.net https://ajax.aspnetcdn.com https://apiurl.org https://appsforoffice.microsoft.com https://assets.zendesk.com https://bat.bing.com https://cdn.5bong.com https://cdn.jsdelivr.net https://cdncache-a.akamaihd.net https://code.jquery.com https://connect.facebook.net https://consent.trustarc.com https://extnetcool.com https://fp166.digitaloptout.com https://googleads.g.doubleclick.net https://intljs.rmtag.com https://pi.pardot.com https://px.ads.linkedin.com https://ruanshi2.8686c.com https://rum-static.pingdom.net https://s.dcbap.com https://s.yimg.com https://s.ytimg.com https://s3.amazonaws.com https://scout-cdn.salesloft.com https://sealserver.trustwave.com https://secure-cdn.mplxtms.com https://secure.myshopcouponmac.com https://snap.licdn.com https://sp.analytics.yahoo.com https://srvvtrk.com https://static.zdassets.com https://static2.sharepointonline.com https://tag.demandbase.com https://tpc.googlesyndication.com https://tracking.g2crowd.com https://translate.googleapis.com https://trk.techtarget.com https://unpkg.com https://www.comeet.co https://www.dropbox.com https://www.google-analytics.com https://www.googleadservices.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'self'; img-src https://* blob: data: 'self'; style-src https://* 'unsafe-inline' 'self'; font-src https://* data: 'self'; connect-src * data: 'self'; media-src * blob: 'self'; frame-src https://* ms-appx-web://* zoommtg://* zoomus://* 'self'' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
![image|689x393](upload://xA2IIdBW76AB3ncFO2KyPfarBK4.png) ![image|689x393](upload://sg7att4OiZB9s3Ra9rAxpzbWgzO.png)
<p>Please look into this because the plugin we created was entirely depending on the Iframe embed to allow zoom meetings on a web page and the functionality is completely non-workable now.</p>
the iframe that you mentioned works only incase we need to skip the enter name screen before join, so if I remove the prefer=1 and un to allow the user to enter their name and join it does not allow the user to join as the button does not work.
If the user is the host of the meeting and has to sign in first to start the meeting the iframe shown above does not allow the host to sign in and start the meeting as the host. The sign-in page loads again if the host is trying to sign in.
Hello, first time post here.
I am getting the same problem when I am trying to launch a custom live streaming service.
I was able to launch it once, but after that (nothing changed on the other video streaming service) I am now always getting these same messages:
A cookie associated with a cross-site resource at was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and .
Hi Tommy,
We are experiencing the same issue and believe it’s related to Chrome’s new SameSite cookie policy. The reason why it might work for you is that Google is rolling this feature gradually to all users. Currently some users may not be able to load Zoom web client in an iFrame while others will, but as Google continues to rollout the change we think everyone will eventually be unable to load Zoom web client in an iFrame.
If you want to reproduce it in your Chrome browser, you can go to chrome://flags and enable this two specific flags:
SameSite by default cookies
Cookies without SameSite must be secure
If you set them to “Enable”, you should be able to reproduce it with the examples that were shared to you before.
Let me know if I can provide more info to help solve this!
Hi Tommy, I have created a codepen that reproduces the issue. https://codepen.io/airnan/pen/f7a5e8da549cb0e48b4178eab897f5a7
The only difference with your example is that I’m setting the src to /start instead of /join which requests me to sign in before joining.
Can you try signing in in my demo or change join to start in yours? Once you enter your username and password, it should redirect you again to the sign in page.
Also, after setting the flags in Chrome, can you relaunch the browser if you didn’t in your last attempt?
Thanks again for checking this out!
@tommy yes, that was my understanding about it. But right now you can’t login inside an iframe in Chrome because of the Google’s update on their cookies policy that they are gradually rolling out.
If you try to login on my demo, you’ll see you won’t be able to do it.
I think what @hernantorrisi is experiencing is due to the new Google Chrome SameSite cookie policy (which is still rolling out to some users). Due to SameSite, he says you cannot launch a Zoom session from within an iframe even AFTER logging in. It impacts users that have already had SameSite enabled in their browser, but that seems to be a large percentage of Chrome users.
Based on your answer in this thread (Web SDK Can't Join as Host) the only way for a host to launch a Zoom session from within their browser via a third-party application is to use an iframe. However, due to Chrome SameSite, the iframe solution is broken for many many Chrome users. You can validate the error by forcing your Chrome SameSite flags to enabled and testing with the codepen posted above.
@tommy Thanks for your info.
I’ll try to summarize what I’ve been gathering.
For our intended integration with zoom:
we can’t use the SDK because, in our scenario, we want 3rd party users to host the session which is not possible, as you explained here: Web SDK Can't Join as Host
we can’t use an iframe in Chrome because of Google’s new SameSite cookie policy
So for now, until Chrome’s issue is addressed on your side, we’ll have to wait.
Would that be a good explanation of the current state of things?