The external application is hosted in an iframe, and subject to limitations of an iframe. For example, you cannot embed a non-secure (http) site into a secure (https) site.
Directly embedding third-party web applications into SDx might not be allowed as it depends on whether the application being embedded in iframe is supported.