Getting Turnstile working on MABS 6+

Blane Thompson

Question

I am attempting to get Cloudflare Turnstile working within the OutSystems mobile app. This works fine on desktop, and on android however iOS apps use the outsystems:// protocol which is causing this error to show:

Blocked a frame with origin "https://challenges.cloudflare.com" from access a frame with origin "outsystems://x.outsystemsenterprise.com". The frame requesting access has a protocol of "https", the frame being accessed has a protocol of "outsystems". Protocols must match.

What would be an elegant way of doing this, without an additional iframe?

Thanks.

04 Feb

Saugat Biswas

Hi @Blane Thompson ,

You’ve hit a hard platform boundary, not a Cloudflare bug, and your diagnosis is already correct.

iOS OutSystems mobile apps run inside a WKWebView using a custom outsystems:// scheme, and Cloudflare Turnstile requires same‑protocol, same‑origin access (https://) to function.

Cloudflare Turnstile:

Runs inside an HTTPS iframe
Uses postMessage / DOM access across frames
Explicitly requires:
- https:// top-level origin
- Browser security context
OutSystems iOS mobile apps:
- Use WKWebView
- Load app content via a custom scheme: outsystems://
Custom schemes are not treated as secure origins by iOS
Cross‑protocol frame access is explicitly blocked by iOS

Recommendation:

External HTTPS Challenge Page + Deep Link Return

User taps “Verify”
App opens external HTTPS page (SafariViewController)
Turnstile runs normally
On success redirect to:
- outsystems://callback?token=XYZ
App resumes and validates token server-side

Benefits of this approach:

No iframe hacks
Fully supported by Cloudflare
Apple App Store compliant

Hope this helps.

Cheers,

Saugat

31 Mar

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.

See the full guidelines