If the src of the iframe points to the same domain as the toplevel window then it will work out of the box.

But if the toplevel window is for example "demo1.com" and the IFrame points to "demo2.com" then a number of things need to be configured correctly to run the NGClient normally in an IFrame.

• CSP frame-ancestors must be set to demo1.com (if a port is used that is not 80 then the port must also be given like :8080). This can be done on the admin page with the property servoy.ngclient.contentSecurityPolicy.frame-ancestors
• 3rd party cookies must be allowed for the domain "demo2.com" in the browser (this can't be controlled by Servoy, must be configured correctly in the users browser)
• The session cookie of the container (like tomcat) must be correctly configured, the "SameSite" attribute of the cookie must be set to "none", this can't be "strict" or "lax", the latter is the default when nothing is set.
• HTTPS must be enabled for that SameSite attribute value

To configure the session cookie to have the SameSite attribute set to none you need to lookup the documentation of your Servlet Container

For Tomcat (and maybe others) this means you need to have in the WAR file a "META-INF/context.xml" file which has as content:

<Context>
   <CookieProcessor sameSiteCookies="none" />
</Context>

But in the browser cookies with "none" as SameSite can only be set when the "secure" is also true, so you need to run in https mode for this to work.