Cross-origin frame problem printing PDF from Custom Component

I am evaluating Stimulsoft's Report.JS reporting tool for compatibility with Retool.

I am having trouble getting it to successfully print a PDF - a common problem it seems.

When I try and print the PDF using Report.JS's built-in print button, I get a cross-origin frame warning and no PDF shows up.

It is trying to get the PDF using this URI: blob:

I am not sure why it is diverting to and that appears to be the cause of the problem.

I am using a custom component with all iFrame permisisions enabled.

I have a created a public app to demo the problem to Stimulsoft, but so far no bright ideas from their end: StimulsoftTesting

Here is the json in case its needed: StimulsoftTesting.json

1 Like

Could the solution to this simply be adding a CORS policy to your servers to allow Hard to see how that would be a security hole as is its basically the same thing typically done when a site allows CORS with its own

I can confirm this issue still exists and particularly when we are using modules

Hey there! As a security measure, Retool runs all custom JavaScript on a separate sandboxed domain. Self-hosted orgs can set this domain with the SANDBOX_DOMAIN environment variable, but for Cloud hosted orgs it will be retool-edge.

Different browsers handle cross-origin requests differently, it looks like this may be a result of CORB or something similar since the linked JSON seems to work for me in Firefox but not Chrome. I'm not familiar with Stimulsoft and could be wrong but, unfortunately, that might mean that it's not supported in Retool at the moment.

Hi @Kabirdas

Is there some documentation about this SANDBOX_DOMAIN var for self-hosted instances ? I could not find any mention to this except in your post :wink:

Thanks !


Hi @jfpaccini I don't believe we have additional documentation for this. Do you have any further questions? Happy to help!

Hi @Tess

well, anything that can help make the sandbox more 'flexible' is welcome. We use self-hosted Retool and as such would like to have more flexibility in things we can embed into retool apps.

I have spent quite some time on this (and found a workaround that I am going to publish :wink: ) but going by the books would be more safe. So I am curious about the following variables used in self-hosted:


thanks :slight_smile: