I'm trying to integrate a self-hosted third party application, by iframing it into my Retool app. The application uses a
<script> tag to retrieve and run JS that itself retrieves another HTML page, that is then iframed within the page of the self-hosted app. That page contains another
<script> tag, that looks like this:
<script type="module" crossorigin src="/assets/index-$UUID.js"></script>
When retrieving that page while the self-hosted app is iframed into my Retool app, I get the error:
Access to script at 'https://link.flexpa.com/assets/index-$UUID.js' from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
There's no such issue when I directly load the app, in the same browser.
How can I fix this? Is this caused by Retool's sandbox requiring the
Access-Control-Allow-Origin header to be set even for requests from within
<script> tags (which are normally exempt)? If so, is there some way to relax that requirement?