Submitting HTTPS over an iframe in IE problem

Question

I'm working on a script to automatically sign you in to basecamp for a project... so far i have come up with the following as something simple just a form you submit which posts to an iframe:

<html>
<head>
<style>
#bc1{ width: 100%; height: 350px; }
</style>
</head>
<body>

<iframe id="bc1" name="_bc1"></iframe>

<form method="post" id="bcform" action="https://launchpad.37signals.com/session" target="_bc1">
<input name="authenticity_token" type="text" value="PyweDIeBkqaAOltDviI/nOADpyrESRDf77R2v7W/6tM=" />
<input id="product" name="product" type="text" value="basecamp" /><br/>
<input autocapitalize="off" autocomplete="on" class="overlayable" id="username" name="username" title="Username" type="text" />
<input autocomplete="on" class="overlayable" id="password" name="password" title="Password" type="password" />
<input name="commit" type="submit" value="Sign In" />
</form>

</body>
</html>

this works in all browsers except IE8 (and presumably 7 and 6)

type in your basecamp login/password into the text boxes and click sign in to give it a try.

does anyone know why this breaks in IE but works in other browsers?

Answer 1

If you're not serving the initial page over HTTPS too, using HTTPS within an iframe doesn't add any security, since the URI of the iframe itself could be altered by an attacker and the user wouldn't notice it:

http://stackoverflow.com/questions/3144986/http-https-iframe/3183176#3183176