Hello. Please help me with this issue.
Description
I want to embed the zoom meeting in an interface through an iframe. The issue is that future versions of Google Chrome and other browsers will implement the SameSite cookie policy (for more details, see 1) and your service implementation did not took this into consideration.
The implication is that the cookies which are typically sent with all the requests to your interface will not be attached anymore if the interface is embedded in an iframe.
This means that no session will be kept anymore and it leads to other issues like the user not being able to log in. The question is if and when do you address this? Or it is already took into consideration?
The response to this question will help me in taking a decision about including your interface in my application.
How To Reproduce
To be able to reproduce this, follow these steps:
- create a meeting with Zoom API and keep the “start_url” URL;
- host and create a simple html file with an iframe that leads to the start_url. We considered these attributes to be required for the iframe: allow=“geolocation; microphone; camera;” sandbox=“allow-same-origin allow-scripts allow-popups allow-modals allow-forms”;
- install the latest version of Google Chrome;
- visit chrome://flags/ and search for “samesite”;
- set the option “SameSite by default cookies” to “enable”;
- reload the browser;
- if that html file and the start_url are on different domains, the SameSite cookie policy applies. You will then see the problems I described above.
Solution
The solution to this is to set the SameSite attribute of some key cookies that are set by your server to “SameSite=None” and check them accordingly to avoid CSRF (Cross Site Request Forgery) attacks.
Additional context
For more details about SameSite cookie attribute, visit: