Missing `allow-same-origin` in iFrame's in 3.22.6

troykelly · December 13, 2023, 9:37pm

With a Retool update we have lost allow-same-origin for iframes.

We previously had a working Org Chart that can now no longer load because of the missing sandbox permission.

The inspector shows that it is missing, but the Retool interface indicates it should be present.

Model

{
  "name": "Organisation Chart",
  "nodes": {{ queryAllDepartment.data.id.map((id, idx) => ({ id: id, name: queryAllDepartment.data.name[idx],pid: queryAllDepartment.data.fkParentDepartmentId[idx]})) }},
 "updateData": {}
}

IFrame Code

<html>
  <head>
    <!-- https://balkan.app/OrgChartJS/Docs -->
    <style type="text/css">
      html,
      body {
        height: 100%;
        margin: 0;
        padding: 0;
      }

      #orgchart {
        height: 100%;
        /** IE 6 */
        min-height: 100%;
      }
    </style>
    <script src="https://cdn.onaperim.com/vendor/orgchartjs/orgchart.js"></script>
  </head>
  <body>
    <div style="width:100%; height:100%;" id="orgchart"></div>
    <script>
      const generateChart = function(model) {
        const chart = new OrgChart(document.getElementById("orgchart"), {
          enableDragDrop: true,
          miniMap: true,
          layout: OrgChart.tree,
          enableSearch: true,
          template: "isla",
          mouseScrool: OrgChart.action.ctrlZoom,
          nodeBinding: {
            field_0: "name"
          },
          editForm: {
            generateElementsFromFields: false,
            addMore: null,
            addMoreBtn: null,
            addMoreFieldName: null,
            elements: [{
              type: 'textbox',
              label: 'Department Name',
              binding: 'name'
            }],
            buttons: {
              share: null,
              pdf: null
            }
          },
          nodes: model.nodes,
          nodeMenu: {
            details: {
              text: "Details"
            },
            edit: {
              text: "Edit"
            },
            add: {
              text: "Add"
            },
            remove: {
              text: "Remove"
            }
          },
        });
        chart.on('drop', function(sender, draggedNodeId, droppedNodeId) {
          window.Retool.modelUpdate({
            updateData: {
              id: draggedNodeId,
              fkParentDepartmentId: droppedNodeId || null
            }
          })
          window.Retool.triggerQuery("updateDepartment")
        })
        chart.on('updated', (sender, original, args) => {
          window.Retool.modelUpdate({
            updateData: {
              id: args.id,
              fkParentDepartmentId: args.pid,
              name: args.name
            }
          })
          window.Retool.triggerQuery("updateDepartment")
        })
        chart.on('add', (sender, args, arg2) => {
          window.Retool.modelUpdate({
            updateData: {
              name: "New Department",
              fkParentDepartmentId: args.pid || null
            }
          })
          window.Retool.triggerQuery("insertDepartment")
        })
        chart.on('remove', (sender, args) => {
          window.Retool.modelUpdate({
            updateData: {
              deleteId: args
            }
          })
          window.Retool.triggerQuery("deleteDepartment")
        })
      }
      window.Retool.subscribe(function(model) {
        // subscribes to model updates
        // all model values can be accessed here
        generateChart(model)
      });
    </script>
  </body>
</html>

hardselius · December 13, 2023, 10:59pm

We have the same issue. Wrote a separate post a few hours back. IFrame "Storage and cookies" (allowSameOrigin) option gone (3.22.3)

troykelly · December 13, 2023, 11:12pm

Apologies, @hardselius, I missed your post.

I had tried raising this with support directly, but have been told there is no support for Retool outside of the forum - so posting here.

hardselius · December 14, 2023, 7:45am

It's all good. As long as it gets attention, I'm happy. Embedding is a must have for us.

jmann · December 14, 2023, 3:04pm

Hey folks - We're digging in with the development team on this now, will update this thread as we learn more!

jmann · December 14, 2023, 3:24pm

Is everyone seeing this self-hosted? If so, can you try setting ALLOW_SAME_ORIGIN_OPTION in your deployment? Seeing a security issue we addressed, that made this behavior opt-in.

jmann · December 14, 2023, 4:29pm

This appears to be the case testing it out, but let me know if that's not what you're seeing. Though it's called out in the release notes, it's not clear existing IFrame-based components will lose the flag is no action is taken. Adding a warning to the headers of existing 3.22 release notes now, thanks for flagging!

troykelly · December 14, 2023, 11:51pm

Perhaps this should be added to Environment variables reference | Retool Docs

That would have saved a lot of time - I don't typically check every single intermediate release note for settings like this, when there should be a source of truth for all the settings.

troykelly · December 15, 2023, 12:51am

Confirming the environment variable works. Back to the original functionality for the iframe.

It does beg the question - is this not the correct way to be approaching this?

jmann · December 15, 2023, 1:34pm

For sure, touched base with the docs team on that. Since the original post issue is separate and resolved, I'd start a new topic with the specifics of what you're looking for with the content of your custom component/third-party library (not sure I'm following what you're referring to in terms of the correct approach or if that context was shared elsewhere)