We are embedding an external application/service in our Retool project utilizing an iFrame.
That application requires clients to set "Allowed Origins", otherwise, there are policies which restrict loading in iFrame.
We provided as our Allowed Origin: https://retool-edge.com/*
(We are using cloud-hosted Retool. And they claim to support '*' as wildcard.
However, when trying to load the application using iFrame, we're getting a 'Refused to Connect'.
Looking in Dev Tools, we're getting something like this:
Refused to frame 'https://___.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://retool-edge.com/*".
Before I reached out to that vendor I wanted to confirm: is https://retool-edge.com/* in fact the correct hostname to use for Allowed Origin?
One other thing, there is another error message that appears,
Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://retool-edge.com') does not match the recipient window's origin ('null').
It looks like that appears just on a reload.
Any help would be much appreciated!