This one is more google-able than the ones I've noted down below, but anyway: the gist of the issue is that iframes loaded into a secure page with an src attribute of "" (an empty string) or missing, or "about:blank", are treated as insecure.
This is done when the iframe is going to be filled dynamically via javascript or equivalent.
Since network sniffing doesn't show any non-ssl HTTP requests, this one might be a bit of a pain to debug, were it not for the users of a a wysiwyg/textarea replacement project who reported the problem on their forums.
Anyway, the solution is to use src="javascript:;" as an initial value, which is apparently secure enough for IE not to throw an error message in the user's face.
1/12/2005: This also appears to happen with <object>s, with a codebase that is not https, and that sucks.
This comment has been removed by the author.
ReplyDeleteOK, so this is a really old post, but it helped me fix a really annoying problem I was having.
ReplyDeleteI had to change the IFRAME src to be "javascript:false;" though, otherwise it would still give the warning message in IE 6.0.2900.
Thanks!