Configure same-origin and sandbox for iframes
Learn how to configure same-origin policy and sandboxing for iframes and custom components.
By default, self-hosted deployments enforce the same-origin policy for iframes and custom components embedded in Retool apps. All embedded content is considered to be from a separate origin and fails the same-origin policy.
This isolates embedded content for security purposes but it can restrict functionality, such as:
- Storing data or cookies.
- Access to certain JavaScript APIs.
If necessary, you can update your deployment configuration to use the allow-same-origin
attribute.
Update environment variables
You can update your environment variable configuration to use allow-same-origin
for iframe content by setting the ALLOW_SAME_ORIGIN_OPTION
to true
.
If you need iframes to use allow-same-origin
, you must also set the SANDBOX_DOMAIN
environment variable.
Configure sandbox domain
All JavaScript within Retool apps runs in the browser. If a user writes JavaScript code that can perform malicious actions, setting SANDBOX_DOMAIN
can help protect your other users.
Setting SANDBOX_DOMAIN
provides an alternative origin for the browser when executing JavaScript. All user-written code that runs in the browser uses the origin defined by SANDBOX_DOMAIN
. This isolates the code from interacting with the base domain. This includes authentication cookies for your Retool backend.
If SANDBOX_DOMAIN
is not set, any custom JavaScript code runs on the same domain as your Retool deployment instance.
The domain you use for SANDBOX_DOMAIN
must be a fully functional domain that routes HTTP requests to your Retool instance. In many cases, this requires registering a new domain, as well as configuring its DNS records.