SSL should really be all or nothing. The same way browsers don't like loading insecure content from a secure origin, they should also squirm at the idea of submitting a form to a secure area (from non-secure) -- including if the parent is non-secure. An iframe isn't good enough.