Also, you may want to set

antiCsrf

value in the backend (Session.init) to

"VIA_TOKEN"

. Since you will be using an iframe.