Zoom App: "403 Forbidden, domain or scheme is not allowed" despite whitelisting domain

Zoom Apps Configuration
PHP + Vanilla HTML/JS

I cannot open a link to a site that I’ve added to the domain allow list. I get “403 Forbidden, domain or scheme is not allowed:”

“403 Forbidden, domain or scheme is not allowed:”

How To Reproduce
Create an tag that links to a site that’s been whitelisted. On the Zoom App, click the href.

Try using https://golinks.io. You need to add the protocol, because when by default the browser is trying the http protocol.

Nope, it was set to that originally. I still get the same error.

I’m starting to think this is because the other pages don’t have the same OWASP headers. Any URL’s the app redirects to must have the same headers, correct?

That’s right, you can only show pages that have the OWASP headers. However, I think this is related to the domain whitelist. Make sure that you are adding the domain without the www. to see if that works for you.

Let me know if that helps.

@MaxM no luck, I am getting the same error without www in both the domain whitelist (which prevents me from adding a www) and the a href tag.

I am however noticing varying behavior when I try to redirect to other sites. I added “shipit.today” to the domain whitelist and when I redirect to “https://shipit.today/”, I get the (correct?) OWASP error.

When I try to redirect to “https://golinks.io/”, I get the 403 forbidden error. Does this point to an error on my side with the website configuration?

Another thing might worth mentioning is that my home URL is “[home].golinks.io/[file].php” and redirecting to “[home].golinks.io” works just fine - the page loads and everything, even without the OWASP headers.

Typically the 403 error would indicate an issue with the CSP header that is set or another problem with the permissions of golinks.io. You can use the CSP headers in the Basic Sample App app as a reference.

When you redirect and see any console errors or server errors associated with that?

The site shouldn’t work without OWASP headers. Have you confirmed the site is not sending OWASP headers through the network tab?