Hello. Please help me with this issue.
The implication is that the cookies which are typically sent with all the requests to your interface will not be attached anymore if the interface is embedded in an iframe.
This means that no session will be kept anymore and it leads to other issues like the user not being able to log in. The question is if and when do you address this? Or it is already took into consideration?
The response to this question will help me in taking a decision about including your interface in my application.
How To Reproduce
To be able to reproduce this, follow these steps:
- create a meeting with Zoom API and keep the “start_url” URL;
- host and create a simple html file with an iframe that leads to the start_url. We considered these attributes to be required for the iframe: allow=“geolocation; microphone; camera;” sandbox=“allow-same-origin allow-scripts allow-popups allow-modals allow-forms”;
- install the latest version of Google Chrome;
- visit chrome://flags/ and search for “samesite”;
- set the option “SameSite by default cookies” to “enable”;
- reload the browser;
The solution to this is to set the SameSite attribute of some key cookies that are set by your server to “SameSite=None” and check them accordingly to avoid CSRF (Cross Site Request Forgery) attacks.
For more details about SameSite cookie attribute, visit: