The external application is hosted in an iframe, and subject to limitations of an iframe. For example, you cannot embed a non-secure (http) site into a secure (https) site.
Directly embedding third-party web applications into the web client might not be allowed as it depends on whether being embedded in iframe is supported.