Missing `allow-same-origin` in iFrame's in 3.22.6

With a Retool update we have lost allow-same-origin for iframes.

We previously had a working Org Chart that can now no longer load because of the missing sandbox permission.

The inspector shows that it is missing, but the Retool interface indicates it should be present.


  "name": "Organisation Chart",
  "nodes": {{ queryAllDepartment.data.id.map((id, idx) => ({ id: id, name: queryAllDepartment.data.name[idx],pid: queryAllDepartment.data.fkParentDepartmentId[idx]})) }},
 "updateData": {}

IFrame Code

    <!-- https://balkan.app/OrgChartJS/Docs -->
    <style type="text/css">
      body {
        height: 100%;
        margin: 0;
        padding: 0;

      #orgchart {
        height: 100%;
        /** IE 6 */
        min-height: 100%;
    <script src="https://cdn.onaperim.com/vendor/orgchartjs/orgchart.js"></script>
    <div style="width:100%; height:100%;" id="orgchart"></div>
      const generateChart = function(model) {
        const chart = new OrgChart(document.getElementById("orgchart"), {
          enableDragDrop: true,
          miniMap: true,
          layout: OrgChart.tree,
          enableSearch: true,
          template: "isla",
          mouseScrool: OrgChart.action.ctrlZoom,
          nodeBinding: {
            field_0: "name"
          editForm: {
            generateElementsFromFields: false,
            addMore: null,
            addMoreBtn: null,
            addMoreFieldName: null,
            elements: [{
              type: 'textbox',
              label: 'Department Name',
              binding: 'name'
            buttons: {
              share: null,
              pdf: null
          nodes: model.nodes,
          nodeMenu: {
            details: {
              text: "Details"
            edit: {
              text: "Edit"
            add: {
              text: "Add"
            remove: {
              text: "Remove"
        chart.on('drop', function(sender, draggedNodeId, droppedNodeId) {
            updateData: {
              id: draggedNodeId,
              fkParentDepartmentId: droppedNodeId || null
        chart.on('updated', (sender, original, args) => {
            updateData: {
              id: args.id,
              fkParentDepartmentId: args.pid,
              name: args.name
        chart.on('add', (sender, args, arg2) => {
            updateData: {
              name: "New Department",
              fkParentDepartmentId: args.pid || null
        chart.on('remove', (sender, args) => {
            updateData: {
              deleteId: args
      window.Retool.subscribe(function(model) {
        // subscribes to model updates
        // all model values can be accessed here

1 Like

We have the same issue. Wrote a separate post a few hours back. IFrame "Storage and cookies" (allowSameOrigin) option gone (3.22.3)

Apologies, @hardselius, I missed your post.

I had tried raising this with support directly, but have been told there is no support for Retool outside of the forum - so posting here.

It's all good. As long as it gets attention, I'm happy. Embedding is a must have for us.

Hey folks - We're digging in with the development team on this now, will update this thread as we learn more!

Is everyone seeing this self-hosted? If so, can you try setting ALLOW_SAME_ORIGIN_OPTION in your deployment? Seeing a security issue we addressed, that made this behavior opt-in.


This appears to be the case testing it out, but let me know if that's not what you're seeing. Though it's called out in the release notes, it's not clear existing IFrame-based components will lose the flag is no action is taken. Adding a warning to the headers of existing 3.22 release notes now, thanks for flagging!

1 Like

Perhaps this should be added to Environment variables reference | Retool Docs

That would have saved a lot of time - I don't typically check every single intermediate release note for settings like this, when there should be a source of truth for all the settings.

Confirming the environment variable works. Back to the original functionality for the iframe.

It does beg the question - is this not the correct way to be approaching this?

For sure, touched base with the docs team on that. Since the original post issue is separate and resolved, I'd start a new topic with the specifics of what you're looking for with the content of your custom component/third-party library (not sure I'm following what you're referring to in terms of the correct approach or if that context was shared elsewhere)