@Daniel Beardsmore said:
The problem seems to be the meaning of X-Frame-Options: SAMEORIGIN — MSIE and Firefox (which MDN confirms hasn't got around to an error page yet!) disallow framing between HTTPS and HTTP with SAMEORIGIN set. This seems reasonable to me. I know Firefox and MSIE take mixed content very seriously now. I don't know if this is a bug in Chrome, that it's permitting this to occur? RFC 7034 does not actually say whether HTTP and HTTPS should be considered identical or different for the same host.
It's a bug in Chrome. Web origins are defined in RFC 6454. Origins are only the same if they have the same scheme, host, and port. I.e. HTTP and HTTPS for the same host are different origins.