Insecure content in iframe on secure page

If your page is http then it allows iframe with https content.

But if your page is https then it does not allow http content.

Lets put down following possibilities.

page - iframe - status

http - http  - allowed
http - https - allowed
https- http  - not allowed
https- https - allowed

If your page is being accessed using https://www.example.com/main/index.jsp (SSL) then your browser will complain with "This page contains both secure and insecure items" if there are any resources in the HTML code that are referenced with http:// (non-SSL). This includes iframes.

If your navigation page is hosted on the same server then you can prevent the "insecure content" message by using a relative URL like this...

<iframe src="/app/navigation.jsp" />

From your question it sounds like your navigation page is being served from a separate host and you're being forced to use something like this

<iframe src="http://otherserver.example.com/app/navigation.jsp" />

which will of course cause the "insecure content" message in your browser.

Your only solutions are to either

  1. implement SSL on the server holding your navigation page so you can use https:// for your iframe reference, or

  2. move the navigation application to the same server so you can use a relative URL.

Personally I can't see why your navigation would be on a different host because then you're going to get JavaScript cross-domain scripting issues (unless some funky JSONP is involved).