iFrame not showing URL when Port Number added

I have a desktop app running on macOS that outputs an HTML file that can be launched and viewed by the default browser. Inside this HTML file is an iFrame that holds a link to a URL. When that URL is plain (no port number) it works fine e.g. http://click.bulkemailapp.com

<iframe frameborder="1" height="200" scrolling="no" src="http://click.bulkemailapp.com" width="800"></iframe>

But when it includes port number to a Xojo WebApp that I know is operational, nothing is displayed e.g. http://click.bulkemailapp.com:4000

<iframe frameborder="1" height="200" scrolling="no" src="http://click.bulkemailapp.com:4000" width="800"></iframe>

In the case of http://click.bulkemailapp.com:4000, the WebApp should run a ShowURL of an error page due to the lack of parameters, and runs fine outside the iFrame, but fails inside the iFrame.

Any clues on why a port number should block an iFrame from displaying?

http://click.bulkemailapp.com:4000 isn’t loading for me while http://click.bulkemailapp.com is even outside the iframe.

Can you try it again, I hadn’t set up the router forwarding.

Here’s the error from the iframe:

Refused to display 'http://click.bulkemailapp.com:4000/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Well click.bulkemailapp.com and click.bulkemailapp.com:4000 are both running on the same computer (the former being port 80 or course). Why might this be worthy of an error?

Browser security settings, cross-site scripting protection.
I’m not sure if there’s something you can do with the HTML to change X-Frame-Options or if that’s a browser setting.
(Google might know, though.)

Thanks Tim. You’ve given a place to start looking.

Even if I set the URL to an entirely different server outside my intranet (but with a port number) it doesn’t display, so I don’t think it’s a ‘same PC’ style issue.

It sounds like you need to set the WebApplication.Security to allow the web app to display in an Iframe.


Thanks Paul. Setting the below code in the App.Open event of my WebAp fixed it:

Security.FrameEmbedding = WebAppSecurityOptions.FrameOptions.Allow

Cool, glad it was easy :smiley: