SSL iframe in and SSL page from a different domain

Whether the containing page and the iframe are on the same domain or not doesn't really matter.

• Page served over http:// with an iframe using an http:// URL: works fine.
• Page served over http:// with an iframe using an https:// URL: works fine, but you won't be able to ensure the security of the iframe.
• Page served over https:// with an iframe using an http:// URL: will generate mixed content warnings, thereby introducing a potential security risk, and should be avoided.
• Page served over https:// with an iframe using an https:// URL: works fine. The users may find it hard to check that the iframe comes from the site they expect. They effectively trust the containing page to do the right thing (see 3-D secure problem).

I had the same problem and found a workaround working fine for me and my project:

Instead of using an iframe I use a popup-window (javascript window.open) where I place the iFrame. Before opening the popup-window I check if the SRC at the iframe starts with https. If so, I open the popup-window with https else I open the popup-window with http.

Hope this info will help some of you :-)