Cross origin isolation in Chrome

Cross origin isolation is a new security feature enforced from Chrome version 92 onwards which is scheduled to release on 20th July 2021. The cross-origin isolation will now be required on web pages using powerful features such as SharedArrayBuffer that are performance-critical.

Why it’s Important for Zoom WordPress Plugin Users

This feature release is critical for our Zoom WordPress plugin users. It implies that the Zoom Web SDK used by our plugin will not be able to function properly if cross-origin is not enforced for the Zoom meeting view. Here is the official announcement by Zoom in this regard. The Zoom meeting features that are tested to fail without complying with this security update are the Share Video and Gallery View feature on the embedded Zoom meeting page.

The Next Step

The great news is that the compatibility for this change has already been released in our v4.16.0 update of the Zoom WordPress plugin on July 13, 2021.
All you need to do is to update the plugin to this version to avoid any troubles for the users accessing the plugin after July 20th with the Chrome v92 release.

Common Issues After the Update

The plugin v4.16.0 update might create some issues on your Zoom meeting page only for certain use cases. The below points address these issues that could show up on the Zoom Meeting embed page ONLY IF you are:

  1. Loading resources on that page from a site other than your current site domain.
  2. embedding URLs from a cross-domain or even your own site.
    Your domain: https://examplesite.com
    Cross-domain: https://someothersite.com

These errors could show up in Chrome Dev Console.
1) Failed to load resource: net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep
2) Specify a Cross-Origin Embedder Policy to prevent this frame from being blocked
3) Specify a Cross-Origin Resource Policy to prevent a resource from being blocked

Caution: Technical knowledge will be needed to address points #2 & 3


  1. If you are embedding an iFrame tag from your own site domain on the Zoom meeting embed page then, you will have to add ?zoom-meeting-page-embed=1 to the end of your iFrame URL as indicated in the image below. This will make sure that the plugin sets specific HTTP headers on this embed URL that is present on your meeting page.
    ”corp

  2. The real problem comes with cross domain interaction. In case you are adding resources( <script>, <link>, <video> and <img>) from a cross-domain on your Zoom meeting page embed you will have to set a Cross-Origin Resource Policy Header on your cross-domain site instead.
    To enable this CORP HTTP header in PHP you can use the function

    <?php
    header( ‘cross-origin-resource-policy: cross-origin’ );

    To set this via .htaccess file on your cross-domain Apache server you can use the below snippet

    Header Set Cross-Origin-Resource-Policy cross-origin


  3. In case you are embedding( <iframe> or <embed>) URLs from a cross-domain on your Zoom meeting page embed you will have to set a Cross-Origin Embedder Policy Header on your cross-domain. To enable this COEP HTTP header in PHP you can use the function

    <?php
    header( ‘cross-origin-embedder-policy: require-corp’ );

    To set this via .htaccess file on your cross-domain Apache server you can use the below snippet
    Header Set Cross-Origin-Embedder-Policy require-corp

  4. Lastly, If you dont have any control over the cross domain to make the above changes then you can consider downloading the resources from the third-party site and load them from your own domain instead.

Are you facing any other issues after the update? Comment below so we can address that too!

Our Recommendation

Affiliate Disclosure: We use affiliate links in our content. It wouldn’t cost you anything. However, it helps us offset the cost of producing the content and the offerings. Thanks for your support.