Hi,
What you’re seeing is a deliberate feature, to protect against Cross-Site Request Forgery (XSRF). XSRF is when some third-party webpage makes a request to an HTTP endpoint of an app you’re already logged into, asking it to do something malicious. If you don’t protect against XSRF, any web page you visit while logged into an app can call HTTP endpoints as if it were you!
We protect against this by executing HTTP endpoints for Anvil apps in an isolated session (ie separate from any session running in the same web browser), unless the request was made from your app’s domain. (The HTTP Origin header tells us where a request came from.)
This means that the page outside your iframe cannot affect your Anvil session (eg by logging you out), although if Javascript embedded in your Anvil app hits an HTTP endpoint on the same app, it has access to your session.
We do plan to add a feature to explicitly disable XSRF protection for a particular HTTP endpoint. I am therefore moving this post to Feature Requests. Watch this space!