Firefox Blocking iFramed Forms

Chris_Vanderma1
Level 4

Firefox Blocking iFramed Forms

I've recently noticed some very concerning behaviour. We iframe all of our Marketo forms into our Web Site to allow prefill. This was working very well for a while, but just this week we noticed Firefox selectively blocking some iframed forms. The odd thing is it seems to only block the iframe if the page is visited directly from Google search results or if the URL is directly typed into the URL bar. If the page is visited via browsing pages on our Web Site the iframed page shows up.

In firefox the iframe is just invisible, but if you click on the shield to the left of the URL bar you see:

"Firefox has blocked content that isn't secure.
Most Web Sites will work properly when when this content is blocked."

Then a button with a dropdown arrow is below. if I click the "Disable protection on this page" item, my form loads.

Is anyone else encountering this issue and have they found a way to counter it?
Tags (1)
3 REPLIES 3
Kenny_Elkington
Marketo Employee

Re: Firefox Blocking iFramed Forms

This is probably due to traffic incoming from google defaulting to https or vice versa and causing a protocol mismatch between the parent and the iframe.  I would consult your IT/Ops to ensure that these links are consistent across sources, and that your server has a predictable default behavior for which protocol it loads over.
Jep_Castelein2
Level 10

Re: Firefox Blocking iFramed Forms

Hi Chris, is your website secure (HTTPS/SSL)? If yes, then you'll need to convert your Marketo landing pages to SSL, otherwise you'll get this warning. 
Chris_Vanderma1
Level 4

Re: Firefox Blocking iFramed Forms

Thanks for the feedback, guys. You are definitely correct. The issue only appears when an https page is accessed. The thing is that we don't use https pages for anything, but we do mirror all http content to https calls. We have no idea how google indexed https pages, but somehow they have, seemingly at random despite us not having advertised them to our knowledge.

Any recommendations for the best way to prevent google from indexing https versions of pages, or to redirect calls via https to normal http? It seems this can be accomplished with robots.txt or .htaccess, but this is outside of my area of expertise. Any ideas?