We have someone complaining about the security popup when one of their
https: pages has an iframe referencing one of our pages http:.
Now, our server has code that checks the referrer and redirects the request
to our page, changing the http:// to https://.
So just to verify, it appears that the security popup is triggered by the
initial request, irrespective of what actually ends up getting served - is
that correct? It's a pre-render warning rather than a render warning.
Makes it additionally annoying, but just want to be sure.