I’m glad you’ve found a way to bypass the web isolation (the “advanced” guide is not really covering but bypassing the web isolation), but the provided example is certainly not covering most of integration cases your customers have. As an example: single web applications.
You are publishing an SDK, not an application, so you should provide more generic way of covering some aspects of the SDK.
Anyway, not here to add more critics, i have a couple of questions.
1/ The disableCORP property on init() call
This one is set to ‘true’ by default, so unless we deactivate this property (based on window.crossOriginIsolated as in the guide’s example) it means that communication within the Zoom SDK are not using web isolation (e.g not returning the expected headers)
- Is my understanding correct ?
- Why until now nobody talked about that parameter and its default value when it comes to web isolation ? If the understanding is correct, then that is definitely affecting tests & results performed.
- Is there any relationship with the warning that popup on the console when the sharedArrayBuffer OT is used without the web isolation ?
2/ What about the COEP Credentialless OT ?
The mentioned guide do not mention the COEP credentialless origin trial which is there to authorize web isolation mode on pages that are not yet fully compliant with web isolation. (instead of using the method used in the guide to fake & deactivate it)
You can find more information about that in the reported thread here
Do you mind updating your guide to include this origin trial in the solutions ?