Recording playback URLs started returning X-Frame-Options: SAMEORIGIN, breaking our iframe embedding

Description/Error
A clear and concise description of what the question is. If it is an error, please post the full error message with the error/response code.

Which Endpoint/s?
Knowing the endpoint/s can help us to identify your issue faster. Please link the ones you need help/have a question with.

How To Reproduce (If applicable)
Sample URL:

Screenshots (If applicable)
If applicable, add screenshots to help explain your problem.

From a similar URL showing the sameorigin header.

Additional context
We’ve had embedded recording playback as a feature on our website since late 2017. Apparently Zoom deployed a change in the last day or so to add the sameorigin header to the playback page, breaking our behavior and generating a number of customer complaints for us.

I have a similar problem that @mikhail reported . I believe Zoom might have changed their X-Frame-Options recently, and unfortunately this has broken my app too.

I was embedding a hidden iframe, and when I changed the src of that iframe, it was an easy way to open Zoom without the user having to go to a new browser tab.

Here is the error message in the browser’s JavaScript console:
“Load denied by X-Frame-Options: https://zoom.us/j/123123123 does not permit cross-origin framing.”

Having to open up Zoom in a new tab will significantly detract from our user experience.

We have a very similar use case as @lucas.cioffi. Hidden embedded iFrame that launches the zoom client for the most seamless experience of joining a zoom meeting from our app.

This change has broken a core functionality of our app.

Hey @mikhail, @lucas.cioffi, and @edward,

Thanks for bringing this to our attention, and apologies this happened. We have just fixed the issue.

It should work now :slight_smile:

Thanks,
Tommy

Hey @tommy, thank you for quickly passing this along.

However, we are still running into an issue with the same-origin policy:

Thanks @tommy, we’ve confirmed the fix on our side - recordings work again when embedded in an iframe. Appreciate the prompt resolution!

Would love to know more about the cause, if there’s anything you can share.

1 Like

Hey @edward, we are working on a fix for the X-Frame embedding start and join urls.

I will post back here with updates!

Thanks,
Tommy

Happy to hear @mikhail, I will post back here with an update after we resolve the remaining X-Frame errors.

Thanks,
Tommy

Hey @edward ,

This should be fixed now. Please let me know if it works!

Thanks,
Tommy

Yes this is working now, thank you!

Could we get some context around these decisions? We have a number of frustrated users as we were incapable of preparing for this situation. We also had to consider immediate long term changes to our application wrt Zoom as it was unclear if this change was intentional or not.

1 Like

Hey @edward, happy to hear it is working, and our sincerest apologies this happened!

We released half of a feature accidentally over the weekend which caused this issue. We have since reverted, and are working to make sure this does not happen again.

Thanks,
Tommy

Hello @tommy thank you very, very much for these prompt fixes! That solved our main problem.

There’s one more path that I found which is not yet working: https://zoom.us/wc/JOIN_ID_GOES_HERE

1 Like

You are welcome, our engineers worked promptly to fix :slight_smile:

/wc should be working. What is the error you are getting?

Thanks,
Tommy

Hello, Tommy, here is the error:

Refused to display 'https://zoom.us/wc/ID_GOES_HERE/join?prefer=1&un=THVjYXMgQ2lvZmZp' in a frame because it set 'X-Frame-Options' to 'deny'.

Thanks @lucas.cioffi, our engineers are working on it, and I will update you once it is fixed!

Thanks for your patience :slight_smile:

-Tommy

@tommy any update on this? It’s been over a week and is causing a lot of confusion for our users.

Hey @sbarty,

Yes we have a fix, and it should be released next week.

Thanks,
Tommy

Hey @sbarty, @lucas.cioffi, and everyone,

We will have this (/wc path) fixed in a release coming this weekend.

Thanks again for your patience.

-Tommy

@tommy just wanted to follow up on this and verify that the fix went live this past weekend. Thanks!

Hey @sbarty,

Yes it did :slight_smile:

Thanks,
Tommy

1 Like