Access-Control-Allow-Origin required for asset in script tag within document retrieved by JS in iframe

I'm trying to integrate a self-hosted third party application, by iframing it into my Retool app. The application uses a <script> tag to retrieve and run JS that itself retrieves another HTML page, that is then iframed within the page of the self-hosted app. That page contains another <script> tag, that looks like this:

<script type="module" crossorigin src="/assets/index-$UUID.js"></script>

When retrieving that page while the self-hosted app is iframed into my Retool app, I get the error:

Access to script at '$UUID.js' from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

There's no such issue when I directly load the app, in the same browser.

How can I fix this? Is this caused by Retool's sandbox requiring the Access-Control-Allow-Origin header to be set even for requests from within <script> tags (which are normally exempt)? If so, is there some way to relax that requirement?

Hi @SamirUnni - welcome to the community!

You can fix it by checking the "Storage and cookies" box (kudos to this solution)

I did some digging with your third-party app and can confirm it works.

Hope this helps

1 Like

Perfect, that fixed it - thank you!