Seeking Guidance on Retool's 'unsafe-eval' CSP Issue

💬 Queries and Resources
1

Hello Retool Community,

We're working on obtaining FedRamp accreditation and are using Retool for our internal tooling. Unfortunately, we've run into a snag: our FedRamp guidelines don't allow the 'unsafe-eval' directive that Retool currently uses for script execution, which is causing a CSP conflict.

The Issue:

  • Our FedRamp security policies disallow the use of 'unsafe-eval'.
  • This is preventing us from meeting our internal security requirements with Retool.

What I'm Looking For:

  • Workarounds or Best Practices: Has anyone found configuration tweaks or alternative approaches to resolve this issue while still using Retool effectively?
  • Future Roadmap: Is there any indication that Retool plans to address this in upcoming releases?

I’d appreciate any insights or shared experiences on tackling this problem. If you need additional details, like screenshots or code snippets, just let me know and I'll provide them.

Thanks for your help!

Best,
Oscar

3

Hi @oscar_bartra,

Apologies for the delay! I see you already got in touch with our team.

For others who are curious about this, here is our current update:

As part of the runtime, eval is needed to run builder’s code. Part of Retool’s runtime executes in the host browser, but for security, code written by Retool builders is evaluated inside a sandboxed iframe. The sandboxing and runtime architecture protects against cross site-scripting (XSS) attacks.

Our team is considering alternative solutions, but for now there won't be changes to this. We'll circle back to this thread if we have any other updates on this topic