In a previous essay I discussed the security implications of hosting an IFRAME on an insecure container page. The follow-up question is whether it’s actually possible to host a secure IFRAME inside a secure container page, and if all browsers will allow this.

My gut feeling said that this should be possible, because the IFRAME has its own browsing context. Browser support is a different question though, so I conducted a quick experiment.