Not sure I follow the logic of your reply but I will try. The chat icon is selected from Site A a secure session window for SupportCustomer.aspx is sent to the client from site B witout a security warning; which state there is no code in the page that has an http refrence hense no security warning. After the message is submitted within the secure session and the SupportClient.aspx is sent back, are you stating there are no refrences to http which are wrapped in the secure session and there is nothing you can do to resolve this issue? That is the popup of a security warning to the customer with IE. We have several remote domain apps with simular funtion that are properly wrapped and do not get issued security warnings.
Adam I post these messages because I feel you have a good product and I also know these issue can be resolved; if I am just a burdon and you don't want to deal with them please let me know we can move on.
We will have to meet this requirement to retain our PCI DSS compliance if we can't we will need to pull the application. Thank you.