It uses an iframe and doing so is disabled by default in XF.
You can change that using config.php for your own site if you wish.
$config['enableClickjackingProtection'] - default: true
When enabled, this option prevents clickjacking attacks by placing your forum in an iframe and tricking the user into clicking something. However, this can also disable valid uses of iframe embedding. Disable this only if you understand the implications.