The Build iFrame app will contain content from your own website, so the security certificate level of your webpage can affect whether your iFrame app content will or will not be displayed on Facebook.
OVERVIEW: WHY ARE SECURITY LEVELS IMPORTANT?
Three Levels of Security:
1. When a user visits a page served over http, their connection is open for eavesdropping and man-in-the-middle (MITM) attacks.
2. On a page served over https, the user’s connection with the web server is authenticated and encrypted with SSL and hence safeguarded from eavesdroppers and MITM attacks.
3. An HTTPS page that includes HTTP content is called Mixed Content. This means that the (unencrypted) HTTP portion can be read or modified by attackers, even though the main page is served over HTTP.
HOW DO SECURITY LEVELS AFFECT THE VISIBILITY OF MY IFRAME?
Mixed Content Blockers block HTTP content on HTTPS pages.
All modern browsers – Firefox, Google Chrome, Safari – will by default block the content of your iFrame app, if the content source is not read as full https.
Users, who encounter this issue, must allow the browser to view the un-certified content manually, by clicking on the shield icon.
STEP-BY-STEP: HOW CAN I AS A CONTENT CREATOR OF MY IFRAME APP AVOID THIS ISSUE?
When you create an iFrame app, please note whether the page providing content for your application is encrypted (https) or not (http). If it is not, then you can take advantage of one of the following solutions:
Get the certificate
One of the ways how to ensure that users will not experience blocked content is to get the https certificate. In most cases your server-provider will have a solution for you, so the way is to contact your provider and ask for assistance in that matter.
Use hosting solution
Another option is to use cloud services such as Amazon Web Services, e.g. their Simple Storage Service (S3) product.
Please note that you cannot use the S3 service to host the actual index page of an app (index.php) because Facebook uses HTTP POST request to get the index page of an iFrame app and S3 does not support POST requests. What you can do, however, is to use the S3 service to host all other content you link in your index page.