The documentation lists the following reason
If JavaScript ran directly on your page, other people in your org could XSS you. To prevent that, we execute all JavaScript in a separate iframe, on a different domain.
But if someone is part of your Retool account doesn't that mean that you already trust them?
If only certain people are allowed to modify the JS code, won't this be enough?
Hi @vangelov
assuming there aren't security concerns, what is the additional benefits running js within the main app?
You would have access to the DOM API for the actual app.
I.e. you can add event listeners to the document, call any APIs you want and generally be able to implement anything that's possible in a standard web app and is not yet in Retool.
For example: scrolling the window or showing an alert before closing the app.
Although I understand that Retool would enforce strong sandboxing with the cloud edition, I find it very frustrating not to be able to basically 'do what we want' with the self-hosted edition. We are in an environment we control, why couldn't we load any lib we need to ?