Youtube-nocookie invalid SSL certificate

App Marketplace
1

Hi,

We are trying to allow embedded youtube videos in our marketplace app. We would like to support both the standard embed links and the “privacy enhanced mode” ones. The privacy enhanced url (www.youtube-nocookie.com) is not possible to add to the domain allow list due to failing some SSL certificate check.

Others have gotten this allowed according to Domain allow list issue: "Domain uses invalid SSL ... - Zoom Community but I do not see any real steps to take, other than I guess submit the changes to the marketplace setup for review and maybe it gets manually approved at that stage? Or is there anything else that we should be doing to get the domain allowed?

2

Hi @aaanders,

You’re correct that embedding YouTube videos using the “privacy-enhanced mode” (which uses https://www.youtube-nocookie.com) may fail domain checks in platforms with strict Content Security Policies or domain allowlists — especially in environments like Zoom’s Marketplace app.

To support youtube-nocookie.com, you should ensure your CSP explicitly allows it under relevant directives (like script-src, style-src, img-src, media-src, etc.).

Here’s a sample update using Next.js (next.config.js) that demonstrates how to properly include https://www.youtube-nocookie.com without affecting other existing policies. This should allow embedding videos using either standard or privacy-enhanced YouTube URLs:

Sample next.config.js update (CSP modified to support youtube-nocookie):

/** @type {import('next').NextConfig} */

const ContentSecurityPolicy = `
  script-src 'self' https://youtu.be ${process.env.HOME_URL} https://browser.sentry-cdn.com/7.34.0/bundle.min.js  https://api.iconify.design https://www.google-analytics.com https://www.google-analytics.com/analytics.js https://www.google.com https://i.ytimg.com https://www.youtube.com/iframe_api https://www.youtube.com https://www.youtube-nocookie.com https://code.iconify.design https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://www.googletagmanager.com https://appssdk.zoom.us/sdk.js https://pianco.deskntea.com 'unsafe-eval' 'unsafe-inline';
  style-src 'self' https://youtu.be https://www.youtube.com https://www.youtube-nocookie.com https://fonts.googleapis.com ${process.env.HOME_URL} 'unsafe-inline';
  font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com;  
  img-src ${process.env.HOME_URL} 'self' data: blob: https://www.youtube.com https://www.youtube-nocookie.com https://i.ytimg.com;
  worker-src * 'self' blob: 'unsafe-eval';
  media-src https://meetlala-onboarding.s3.us-east-2.amazonaws.com https://youtu.be https://www.youtube.com https://www.youtube-nocookie.com;
  connect-src 'self' wss: https: data: blob: https://meetlala-onboarding.s3.us-east-2.amazonaws.com https://youtu.be https://www.youtube.com https://www.youtube-nocookie.com ${process.env.WS_URL}/api/socketio;
`;

const headers = [
  {
    key: 'Strict-Transport-Security',
    value: 'max-age=63072000; includeSubDomains; preload'
  },
  {
    key: 'Content-Security-Policy',
    value: ContentSecurityPolicy.replace(/\s{2,}/g, ' ').trim()
  },
  {
    key: 'X-Content-Type-Options',
    value: 'nosniff'
  },
  {
    key: 'Referrer-Policy',
    value: 'strict-origin-when-cross-origin'
  },
  {
    key: 'X-Frame-Options',
    value: 'SAMEORIGIN'
  },
  {
    key: 'frameguard',
    value: 'strict-origin-when-cross-origin'
  },
  {
    key: 'Access-Control-Allow-Origin',
    value: "https://www.youtube.com"
  },
  {
    key: "Access-Control-Allow-Methods",
    value: "GET,DELETE,PATCH,POST,PUT"
  }
];

const nextConfig = {
  compress: true,
  reactStrictMode: false,
  async headers() {
    return [{
      source: '/:path*',
      headers: headers,
    }];
  },
  async rewrites() {
    // No rewrites are necessary for youtube-nocookie.com,
    // but you can optionally add rewrites if you want to proxy any YouTube endpoints.
    return [];
  },
};

module.exports = nextConfig;

Notes:

  • This only adds https://www.youtube-nocookie.com to the required directives in your CSP (e.g., script-src, style-src, img-src, media-src, connect-src).
  • All your existing domains and security policies are preserved.
  • If you’re submitting this app for Zoom App Marketplace review, they may still require a manual approval step, especially for domains with unconventional SSL setups (as noted in Zoom’s Community post).
  • No rewrites are added here, but if needed, you can proxy or rewrite youtube-nocookie.com resources through your backend or Next.js rewrites — entirely optional.

Let me know if you’d like to support iframe embedding explicitly (e.g. via frame-src), or need help submitting to the Zoom Marketplace.

Hope this helps!

1 Like
3

Hi,

we don’t have any csp config issues. I don’t see how that is relevant, but yes obviously by “embedded videos” I mean iframed videos. There are no issues with the frame-src (standard youtube.com videos work fine).

The only issue is adding the url to the allowed domain list:

image
image716×135 9.87 KB

I want to know if I should just submit this change to the app config and then someone can manually approve the url in the domain allow list, or is there some other way that the example from the community forum I included managed to get the exact same url approved in their marketplace setup?

4

Hi Anders,

Thanks for the update.

To allow embedded YouTube videos — including those from the youtube-nocookie.com domain — you must add the domain to your Content Security Policy (CSP) as well, not just the domain allow list.

However, as mentioned earlier, www.youtube-nocookie.com is currently serving an invalid SSL certificate (it presents a *.google.com certificate, leading to a NET::ERR_CERT_COMMON_NAME_INVALID error). This SSL issue must be resolved before the domain can be accepted on the allow list or pass any automated checks.

Screenshot 2025-05-19 at 4.21.54 PM
Screenshot 2025-05-19 at 4.21.54 PM1920×1534 254 KB

Since youtube-nocookie.com is a Google-owned subdomain, this issue is outside your control — you won’t be able to fix it directly. The best workaround is to proxy the content through your own domain with a valid certificate, or use the standard www.youtube.com embed link (which works fine with CSP and domain allow lists).

Alternatively, if you’re using Next.js, you can configure a rewrite rule to proxy video embeds through your own domain. For example:

module.exports = {
  async rewrites() {
    return [
      {
        source: '/embed/:videoId',
        destination: 'https://www.youtube-nocookie.com/embed/:videoId',
      },
    ];
  },
};

Then you can embed videos using your domain, e.g., https://yourdomain.com/embed/abc123, while serving the content from youtube-nocookie.com behind the scenes.

Let us know if you need help setting up the proxy or adjusting your CSP.

Best,
Naeem Ahmed

5

Hi Naeem,

It sems that https://youtube-nocookie.com does indeed have an invalid ssl cert, but https://www.youtube-nocookie.com (which is the one I am trying to support) does have a valid cert:

image
image668×445 13.1 KB

Just to reiterate, I am pretty certain that we dont have any csp issues. While setting up a proxy is a valid solution, I just don’t see how that should be needed. If the marketplace SSL cert validation fails to validate a valid SSL cert that should really be because the validation is faulty on your end.

6

Hi,

we ended up just submitting the changes to the marketplace app to see what feedback that would give, and the url did indeed get approved manually.

Thanks

7

This topic was automatically closed after 30 days. New replies are no longer allowed.