Application not working in current iframe construction
Application Type
Service Studio Version
11.10.12 (Build 39237)

At the moment we have an application running in production, but it is causing some problems. Below I will try to name these in the hope that someone has an idea how I can best solve this.

The application is built in OutSystems (Reactive application), but is loaded via an iframe on another website. This was working properly in the browsers we checked (Chrome, Firefox, Edge and Safari (all latest versions).  

Now it appears that the application does not work equally well in every scenario. When the Google Chrome is opened in Incognito window or the user has blocked third-party cookies, the application will not work and the user will receive the following error message:

Also when a user uses Safari version 13 or lower (it works in 14), the application does not work and the user gets the following error:

When I use the OutSystems application without an iframe construction it does not cause any problems. It is therefore suspected that it has something to do with the iFrame construction. However, I am not sure how to fix this. Maybe it is not even OutSystems related. 

Has anyone ever run into such a problem and is there a solution for it? Any help is appreciated. Maybe a different construction is even the solution? The starting point is to mask the OutSystems url and to communicate with the name of our brands.



Hi Bart,

Did you managed any CSP (Content Security Policy) on your environment  to use iframe within the platform?

I truly recommend to do it, to avoid this situation . Iframe is famous for security breach . And a lot of browsers and web servers implemented a security mechanism.  One of those attacks is XSS.

It's old but is still valid. It's straightforward video that can show you how to do it.

Using iFrame in OutSystems applications

Apply Content Security Policy

And also can be interesting to look at this

Hi César,

Thanks for your suggestions. I did watch the video and did read the articles you send me.

Unfortunatly it is still not working. I did change the cookie settings as mentioned in one of your linked posts (see screenshot below). I did use a * because that has to allow everything (I will narrow it down once this is working properly). Any other suggestions?

When I changed the settings above I got another 2 errors as it seems it is not allowed via meta tags. I added 'none' to see if it works and it does. When applying 'none' the iframe does block the content. I also did try to set the exact domain instead of the asterix (*) and same message appears

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.