Server API Call CORS Problem

Hello, I am developing a real-time interpretation application through Zoom Apps.

However, I have run into CORS issues while developing this application. This phenomenon occurs in all requests sent to our backend server from within Zoom Apps. Most of the requests our system sends to the server are proxied through the NextJS server so there are no CORS issues, but requests to connect websockets (SockJS + STOMP) (/ws/chat/info) and requests to directly fetch images from the server are sent directly from Zoom Apps to the server, so CORS issues occur.

I have added the server URL to the Domain Allow List and also included the server in the OWASP settings. I have considered various reasons but I am completely unable to find a solution. Please I desperately need help.

Our system structure implements the frontend with React+Next and uses Spring Boot for the backend. And client users directly call the Azure STT service. Also, since there are meeting rooms where real-time interpretation takes place, web socket connections are required.

Currently, since we are prototyping the Zoom App, we have opened a ngrok server locally to handle oAuth work. After handling authentication like that, we connect the Home Page URL to our frontend server to test the actual system.
Since requests proxied through Next work normally, most features work properly but only calls to our server generate errors.

+By the way, I am not using known ports like 3000, 8080, 443.

@inhyeok Thank you for reaching out! As a first step, I would make sure that you re-authorize your app after making those changes to ensure they take effect.

If that doesn’t help, I would make sure that the Content Security Policy header that your app is using includes this domain. We have more information on this header here:

If that doesn’t help please share the CSP header that you are using.

In the meantime, you can also check the server to ensure that it is not sending a 403 response due to another issue.