This test loads a secure iframe that loads a plugin without a URL. We should *not* get a mixed content callback because the plug-in cannot be controlled by an active network attacker.