HTTP and HTTPS iframe

Question

I am creating a small widget and I want to allow others to use it. The iframe is loaded via HTTP - but I want to allow users to login via HTTPS. i.e. Send a req

Answer 1

@Bruno - I agree, but I would like to point out that even checking the source - as demanding as that is - of the page might not be enough to ensure security or proper/intended destination, since that is often the originally served source text. Unless I'm seriously mistaken, that can be changed easily with in-page or even off-page javascript code (which itself can be obfuscated, if someone really wants to make it next to impossible to find). That said, IF a user has an appropriate browser, I think that they might be able - if they are suspicious to begin with - to check the source of the iframe to determine the source of that code, then determine whether they trust the source... not really a reasonable expectation.

Though all of this could be determined with appropriate debuggers and/or software/DOM inspectors and a good helping of digital elbow grease, the OP cannot reasonably expect everyone to do this (if anyone at all)