I've got a site http://abc.com/support, which uses an iFrame that has a source pointing to https://123.sample.com My objective was to mask the domain and the iFrame accomplishes this successfully. However, I just found out that users are not able to log into the site using IE 9(source: https://123.sample.com) when they go through the iFrame. Nothing errors out, it's just that the page refreshes and they'll still be at the login screen. But if they were go directly to https://123.sample.com in IE9, then logging in wouldn't be an issue.

I thought forcing it to use IE 7's standards would work by using <meta http-equiv="X-UA-Compatible" content="IE=7" />, but it doesn't. Oddly enough, if I enter an incorrect password in the iFrame, I actually get an error stating "invalid password". But if I log in with the right credentials, nothing happens. You'll see the page refresh, but you'll be stuck at the login page.

Suggestions? Here's a second question. Note that the source in the iFrame is a secure page, but my page isn't. Is there any point to securing my page?

You shouldn't put a https:// iframe to log in within a page served over plain HTTP. The reasons for this have been discussed in a number of questions, for example:

• Secure popup login possible?
• Is posting from HTTP to HTTPS a bad practice? (on Security.SE)