I came across this the other day. A customer has a SSL/HTTPS secured site and when doing some JavaScript DOM manipulation to an iframe a security warning about the page containing both secure and unsecure content kept poping up.

It was kind of hard to figure out. Maybe someone can benefit from this.

It turns out that Internet Explorer considers an iframe without a "src" attribute insecure. The trick is to add a dummy src attribute pointing to a picture or something (/icons/ecblank.gif).

A qualified guess is that this will probably be the case with all objects that can have a src attribute. Firefox seems not to be affected.