I think that the main problem with iframes (and frames in general) is that it's impossible for the user to check in an easy way where they originates from.
If the URL bar would automatically change to the iframes URL when the user hovers the iframe it would at least give the user a possibility to check where the iframe originates from and there would be no need to label the entire site as "Not Secure".
> I think that the main problem with iframes (and frames in general) is that it's impossible for the user to check in an easy way where they originates from.
Exactly, just like all other resources (assets, media).
> If the URL bar would automatically change to the iframes URL when the user hovers the iframe
Not only is this extremely confusing for anyone who isn't an expert it also breaks when you don't use a mouse. It can also be circumvented really easy by simply hiding an iframe.
-----
Why exactly don't you like the current behaviour? If you load a page over HTTPS that loads a bunch on insecure pages inside iframes, the page _is_ insecure.
I'm my example it was the other way around. You load an insecure page over HTTP without triggering any visible warning. And then you load a secure iframe over HTTPS with a login form and this triggers the "Not secure" warning.
The only reason to do this that I can think of is because of MiM attacks like detaro wrote about.
I think that the main problem with iframes (and frames in general) is that it's impossible for the user to check in an easy way where they originates from. If the URL bar would automatically change to the iframes URL when the user hovers the iframe it would at least give the user a possibility to check where the iframe originates from and there would be no need to label the entire site as "Not Secure".