Starting meetings is not supported inside an iFrame, unless you sign in. That is the designed functionality.
Hello @tommy. Is there any reason to not make it easier to start meetings inside an iFrame as host? The browser still prompts the user to open Zoom, so there doesn’t seem to be a privacy/security risk.
In our use case we want any member of an online community to be able to start a meeting that is created via the API. They can do this as a meeting participant but the start-as-host link will not work this way.
Here’s an example you can try where the participant button that you see will work: https://qiqochat.com/meet/Lucas_Cioffi
However if you were the admin, you’d also see a join-as-host button which opens Zoom in an iframe which does not work. Instead this pops up in the JS console (Version 80.0.3987.149, Official Build, 64-bit):
The Content Security Policy ‘default-src blob: ‘self’; script-src ‘unsafe-eval’ ‘unsafe-inline’ blob: https://.50million.club https://.adroll.com https://.cloudfront.net https://.google.com https://.hotjar.com https://.zoom.us https://.zoomus.cn https://.zopim.com https://ad.lkqd.net https://ajax.aspnetcdn.com https://apiurl.org https://appsforoffice.microsoft.com https://assets.zendesk.com https://bat.bing.com https://cdn.5bong.com https://cdn.jsdelivr.net https://cdncache-a.akamaihd.net https://code.jquery.com https://connect.facebook.net https://consent.trustarc.com https://extnetcool.com https://fp166.digitaloptout.com https://googleads.g.doubleclick.net https://intljs.rmtag.com https://pi.pardot.com https://px.ads.linkedin.com https://ruanshi2.8686c.com https://rum-static.pingdom.net https://s.dcbap.com https://s.yimg.com https://s.ytimg.com https://s3.amazonaws.com https://scout-cdn.salesloft.com https://sealserver.trustwave.com https://secure-cdn.mplxtms.com https://secure.myshopcouponmac.com https://snap.licdn.com https://sp.analytics.yahoo.com https://srvvtrk.com https://static.zdassets.com https://static2.sharepointonline.com https://tag.demandbase.com https://tpc.googlesyndication.com https://tracking.g2crowd.com https://translate.googleapis.com https://trk.techtarget.com https://unpkg.com https://www.comeet.co https://www.dropbox.com https://www.google-analytics.com https://www.googleadservices.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com https://d.adroll.mgr.consensu.org https://serve2.cheqzone.com https://*.ada.support ‘self’; img-src https: blob: data: ‘self’; style-src https: ‘unsafe-inline’ ‘self’; font-src https: data: ‘self’; connect-src * data: ‘self’; media-src * blob: ‘self’; frame-src https: ms-appx-web: zoommtg: zoomus: ‘self’’ was delivered in report-only mode, but does not specify a ‘report-uri’; the policy will have no effect. Please either add a ‘report-uri’ directive, or deliver the policy via the ‘Content-Security-Policy’ header.
As API users, we pay by the minute, so if you can make it easier for our users to start these kinds of meetings as host, then you will get more minutes purchased by us. This is a critical bug for us. Thank you for your consideration!