-
My goal: I want to embed external URLs as iframes in app created through Retool’s new react app builder
-
Issue: The CSP header on the React app page sets
frame-src 'self'. Is there any setting we can use to have certain allowlisted domains -
Steps I've taken to troubleshoot: Confirmed via Network tab that the response header
Content-Security-Policy: ... frame-src 'self' ...is set on the React app page by Retool's server.Additional info: Cloud. Screenshot of the CSP header attached.
1 Like
Hi there Sonia!
Tanner from the Retool product team here 
First of all, thanks for trying out the new app builder!
Secondly, our current experience is restrictive by design as a security feature. We’re actively working on a feature to allow admins to lax the CSP policy for your organization.
You can expect this to land early next week! Expect a changelog entry when it’s released.
1 Like
Glad to hear it’s coming soon! 