Embedded Retool Apps are Unable to Login on Webkit Browsers (Safari, iOS Browsers, Gnome Web, etc.)

When our Retool app is embedded into a website with an iFrame, we are unable to sign into Retool from that iFrame due to Safari's "Prevent cross-site tracking" option blocking cookies of cross-origin iFrames from being set. Is there any way to work around this without disabling the "Prevent cross-site tracking" option outright?


Hey @amydevs! I don't think so, but will double check with my team to see if they have any other ideas. Thank you for the clear screenshots :pray:

Hi again! It seems like this is the currently supported behavior. Do you have any specific concerns? I'd be happy to put in an internal request on your behalf :slight_smile:

The retool app is inside an iFrame, users cannot sign into retool through the embedded app on iOS (iPhone, iPad) even with the "prevent cross-site tracking" option turned off. When the user tries to sign in, the iFrame is redirected to another page that errors out, and redirected back to the retool sign in page

@victoria The issue seems to be that since Safari 13, for Cross-Origin iFrames to have access to cookies, express user interaction is required to give permission to such.

Therefore, without a prompt for permission to cookies, Safari users viewing Retool's login page through an iFrame is unable to store or access cookies that provide authentication. Hence, Safari users are stuck in a redirect loop where the login page redirects to the Retool application, only for the application to realize that the user is unauthenticated due to no cookies being set, and redirecting back to the login page.

This cause for this problem is detailed in this StackOverflow post: javascript - Safari 13+ iframe blocks CORS cookies - Stack Overflow .

This would mean that Retool would need to implement a user prompt and calls to the Storage API in order to accommodate embedding Retool apps for Safari users.

References for implementation details:

Thank you for all that context and research! Super clear and helpful. I passed it all along to our team and will keep this thread updated :slight_smile:

@victoria Hi, using an iFrame i'm having similar issues. I have an application form I use publicly on my website to get people to send us information, but safari/iphone users are met with a log in screen.

You can see this at voxen.ca/application

Is there any updates to this?

Great questions. We don't quite have a clear way around this Safari limitation yet :sweat: At the moment, Embed (available only on the Business and Enterprise plans) could be path forward, but then you'd lose the Retool login. You could also try Portals (available only on the Business and Enterprise plans) if you want a custom portal and a Retool-handled login. I'm sorry I don't have better news for you—I did check in on the bug report to see if we have any new updates, but it looks like we're currently blocked here.