<-- Back

How to run a Mendix application in an Iframe in a website on a different domain

Introduction

This article describes how a Mendix application can be configured to run in an Iframe in a different domain than the domain in which the Mendix application is running. Enabling this will open up some security risks, as explained in adding HTTP Headers security best practices

Alternatively, to avoid security risks, it is possible to apply a custom domain to the Mendix application. This ensures both the host application and the Mendix application run in the same domain. For applications hosted in Mendix Cloud, refer to using custom domains documentation. 

Environment

Applications hosted in any deployment type

Instructions/Procedure

To allow a Mendix application to run in an Iframe on a different domain, follow these steps:

  1. Set the com.mendix.core.SameSiteCookies runtime setting to the appropriate value to allow loading of the Mendix app in a different domain. Setting it to None is typically needed. See applying a different SameSite setting for additional information.
  2. To allow the Mendix application to run in an Iframe, the frame-ancestors directive of the Content-Security-Policy HTTP Header should include the domain that is permitted to embed the application. For applications hosted in Mendix Cloud, this can be done within the Mendix Portal, as described in the HTTP Headers section of Environment Details. For example: Content-Security-Policy: frame-ancestors 'self' https://trusted-parent-domain.com;

Additionally, set the following for Iframe usage in general:

  1. Ensure that the browser is allowed to render a page in a <frame><iframe><embed>, or <object> by setting the X-Frame-Options HTTP Header.
  2. Optional: If the application uses a custom sign-in page, follow the instructions as outlined in Using Custom Sign-In Pages for applications running in an Iframe.

More information can be found in the Iframes and running apps and running your app in an Iframe documentation.

Outcome

The Mendix application can be loaded in an Iframe on a website in a different domain.

Internal information related

  • 253326

Additional information

Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.