Embedded Retool Apps are Unable to Login on Webkit Browsers (Safari, iOS Browsers, Gnome Web, etc.)

When our Retool app is embedded into a website with an iFrame, we are unable to sign into Retool from that iFrame due to Safari's "Prevent cross-site tracking" option blocking cookies of cross-origin iFrames from being set. Is there any way to work around this without disabling the "Prevent cross-site tracking" option outright?


Hey @amydevs! I don't think so, but will double check with my team to see if they have any other ideas. Thank you for the clear screenshots :pray:

Hi again! It seems like this is the currently supported behavior. Do you have any specific concerns? I'd be happy to put in an internal request on your behalf :slight_smile:

The retool app is inside an iFrame, users cannot sign into retool through the embedded app on iOS (iPhone, iPad) even with the "prevent cross-site tracking" option turned off. When the user tries to sign in, the iFrame is redirected to another page that errors out, and redirected back to the retool sign in page

@victoria The issue seems to be that since Safari 13, for Cross-Origin iFrames to have access to cookies, express user interaction is required to give permission to such.

Therefore, without a prompt for permission to cookies, Safari users viewing Retool's login page through an iFrame is unable to store or access cookies that provide authentication. Hence, Safari users are stuck in a redirect loop where the login page redirects to the Retool application, only for the application to realize that the user is unauthenticated due to no cookies being set, and redirecting back to the login page.

This cause for this problem is detailed in this StackOverflow post: javascript - Safari 13+ iframe blocks CORS cookies - Stack Overflow .

This would mean that Retool would need to implement a user prompt and calls to the Storage API in order to accommodate embedding Retool apps for Safari users.

References for implementation details:

Thank you for all that context and research! Super clear and helpful. I passed it all along to our team and will keep this thread updated :slight_smile: