Zoom Apps Configuration
PHP + Vanilla HTML/JS
Description
I cannot open a link to a site that I’ve added to the domain allow list. I get “403 Forbidden, domain or scheme is not allowed:”
Error?
“403 Forbidden, domain or scheme is not allowed:”
How To Reproduce
Create an tag that links to a site that’s been whitelisted. On the Zoom App, click the href.
Try using https://golinks.io. You need to add the protocol, because when by default the browser is trying the http protocol.
Nope, it was set to that originally. I still get the same error.
I’m starting to think this is because the other pages don’t have the same OWASP headers. Any URL’s the app redirects to must have the same headers, correct?
That’s right, you can only show pages that have the OWASP headers. However, I think this is related to the domain whitelist. Make sure that you are adding the domain without the www. to see if that works for you.
Let me know if that helps.
@MaxM no luck, I am getting the same error without www in both the domain whitelist (which prevents me from adding a www) and the a href tag.
I am however noticing varying behavior when I try to redirect to other sites. I added “shipit.today” to the domain whitelist and when I redirect to “https://shipit.today/”, I get the (correct?) OWASP error.
When I try to redirect to “https://golinks.io/”, I get the 403 forbidden error. Does this point to an error on my side with the website configuration?
Another thing might worth mentioning is that my home URL is “[home].golinks.io/[file].php” and redirecting to “[home].golinks.io” works just fine - the page loads and everything, even without the OWASP headers.
Typically the 403 error would indicate an issue with the CSP header that is set or another problem with the permissions of golinks.io. You can use the CSP headers in the Basic Sample App app as a reference.
When you redirect and see any console errors or server errors associated with that?
The site shouldn’t work without OWASP headers. Have you confirmed the site is not sending OWASP headers through the network tab?
Ah, correction: the sites I am trying to redirect to have the correct OWASP headers.
And about the issue with golinks.io, I don’t see any errors associated with the CSP header. The only error that appears is the one I posted above.
I also notice that opening the URL with zoomSdk.OpenURL() works, but redirecting in-app does not.
edit:
In general, it seems the behavior I’m noticing is that redirecting and ‘opening as homepage’ URLs that are subdomains work, but trying to redirect to the domain alone (as specified in the domain allow list) does not.
How are you redirecting in app? Are you able to get this working with other domains or do you always see this issue?
To make sure that I understand, when you whitelist the root domain you are seeing that only subdomains are allowed. I haven’t seen this behavior in the past, especially regarding the Zoom Marketplace.
How are you redirecting in app? Are you able to get this working with other domains or do you always see this issue?
with HTML a tags. I just tried:
<a href="https://wikipedia.org/">w</a>
<a href="https://ja.wikipedia.org/">w subdomain</a>
with “wikipedia.org” in the domain allowlist, and I get:
403 Forbidden, domain or scheme is not allowed:
www.wikipedia.org
403 Forbidden, domain or scheme is not allowed:
ja.wikipedia.org
but it does work when I call
zoomSdk.openUrl({url: "https://wikipedia.org/"});
To make sure that I understand, when you whitelist the root domain you are seeing that only subdomains are allowed.
Since I just tested wikipedia.org, I guess this is only the case with my own domain.
@evan.cheng When it comes to wikipedia.org, it looks like there is a redirect to www.wikipedia.org. With your Zoom App, you’ll want to whitelist all of the subdomains in use.
For Wikipedia, this means the WWW version and the non WWW version as well as the ja subdomain
After that, you should see an error pertaining to the OWASP headers when attempting to open the page in the client.
I hope that helps!