Cross-origin frame problem printing PDF from Custom Component

bradlymathews · November 25, 2022, 6:46pm

I am evaluating Stimulsoft's Report.JS reporting tool for compatibility with Retool.

I am having trouble getting it to successfully print a PDF - a common problem it seems.

When I try and print the PDF using Report.JS's built-in print button, I get a cross-origin frame warning and no PDF shows up.

It is trying to get the PDF using this URI: blob:https://retool-edge.com/a8f0ba53-3fd8-4280-aaf9-d791672400d1

I am not sure why it is diverting to retool-edge.com and that appears to be the cause of the problem.

I am using a custom component with all iFrame permisisions enabled.

I have a created a public app to demo the problem to Stimulsoft, but so far no bright ideas from their end: StimulsoftTesting

Here is the json in case its needed: StimulsoftTesting.json

bradlymathews · November 26, 2022, 10:24pm

Could the solution to this simply be adding a CORS policy to your servers to allow retool-edge.com? Hard to see how that would be a security hole as is its basically the same thing typically done when a site allows CORS with its own api.domain.com

mpmohi · July 30, 2023, 8:25pm

I can confirm this issue still exists and particularly when we are using modules

Kabirdas · August 17, 2023, 2:13am

Hey there! As a security measure, Retool runs all custom JavaScript on a separate sandboxed domain. Self-hosted orgs can set this domain with the SANDBOX_DOMAIN environment variable, but for Cloud hosted orgs it will be retool-edge.

Different browsers handle cross-origin requests differently, it looks like this may be a result of CORB or something similar since the linked JSON seems to work for me in Firefox but not Chrome. I'm not familiar with Stimulsoft and could be wrong but, unfortunately, that might mean that it's not supported in Retool at the moment.

jfpaccini · December 1, 2023, 2:06pm

Hi @Kabirdas

Is there some documentation about this SANDBOX_DOMAIN var for self-hosted instances ? I could not find any mention to this except in your post

Thanks !

jfp

Tess · December 4, 2023, 10:52pm

Hi @jfpaccini I don't believe we have additional documentation for this. Do you have any further questions? Happy to help!

jfpaccini · December 5, 2023, 7:30pm

Hi @Tess

well, anything that can help make the sandbox more 'flexible' is welcome. We use self-hosted Retool and as such would like to have more flexibility in things we can embed into retool apps.

I have spent quite some time on this (and found a workaround that I am going to publish ) but going by the books would be more safe. So I am curious about the following variables used in self-hosted:

MAIN_DOMAIN
RESTRICTED_DOMAIN
SANDBOX_DOMAIN

thanks