diff --git a/src/components/views/elements/AppTile.js b/src/components/views/elements/AppTile.js
index 58bfda8d22..abf6f306ab 100644
--- a/src/components/views/elements/AppTile.js
+++ b/src/components/views/elements/AppTile.js
@@ -423,8 +423,13 @@ export default class AppTile extends React.Component {
     _setupWidgetMessaging() {
         // FIXME: There's probably no reason to do this here: it should probably be done entirely
         // in ActiveWidgetStore.
+
+        // We use the app's URL over the rendered URL so that anything the widget does which could
+        // lead to requesting a "security key" will pass accordingly. The only other thing this URL
+        // is used for is to determine the origin we're talking to, and therefore we don't need the
+        // fully templated URL.
         const widgetMessaging = new WidgetMessaging(
-            this.props.app.id, this._getRenderedUrl(), this.props.userWidget, this._appFrame.current.contentWindow);
+            this.props.app.id, this.props.app.url, this.props.userWidget, this._appFrame.current.contentWindow);
         ActiveWidgetStore.setWidgetMessaging(this.props.app.id, widgetMessaging);
         widgetMessaging.getCapabilities().then((requestedCapabilities) => {
             console.log(`Widget ${this.props.app.id} requested capabilities: ` + requestedCapabilities);