Ajax form submitting to HTTPS from a HTTP page

[eluser]dazzer[/eluser]
I have a form with sensitive inputs that I load on different HTTP pages (in a modal dialog). I need to ajax POST this form to a HTTPS location. I understand that this is not possible as it violates the Same Origin Policy.

I have come across a couple a solutions, but none that I can use. I cannot force HTTPS on all the pages containing the form due to SEO problems ( this is what the client claims ).

I have read that it's possible to encrypt the input data ( using a secret key that I fetch using JSONP from a HTTPS location) , post them to regular HTTP, and then decrypt server-side using the secret. I am not so sure about this method.

Could anyone explain the JSONP alternative, and tell me if it's secure enough to use ? Or if there is another design pattern out there that can help me with this.

Thanks.

[eluser]TheFuzzy0ne[/eluser]
Can't you just check to see if it's a known spider (with something like this: [url="http://www.cult-f.net/detect-crawlers-with-php/"]http://www.cult-f.net/detect-crawlers-with-php/[/url]) and redirect to HTTPS if it's not?

[eluser]dazzer[/eluser]
It should work, but there are quite a lot of pages I need to do this for, and the crawlers aren't the only thing the client has in mind. The website will get a lot of traffic, and that amount of https requests won't work on the server he's using.

If there is no good solution, I'd rather create a separate page for the form and leave out the modal dialog. But I need to know for sure there is no other way to do this before I go with that.

[eluser]TheFuzzy0ne[/eluser]
I'm afraid I can't help you there. I prefer the user to be able to see that they're using a secure connection in the address bar, so suffice to say I've never come across this situation before.

[eluser]dazzer[/eluser]
Yes, I prefer that too. But the client thinks the modal dialog will provide a better user experience. I'll have to wait and see if anyone has encountered this before.

[eluser]boltsabre[/eluser]

The website will get a lot of traffic and that amount of https requests won’t work on the server he’s using.

I seriously doubt that. I think your client is telling you lies or has no idea what s/he is talking about.

Can’t you just check to see if it’s a known spider

I wouldn't do that either. Google (and other search engines???) use "straw men" user agents, and as such you don't always know if it is google bot or not. Which can then lead to a SEO cloaking penalty depending on what you're doing...

I cannot force HTTPS on all the pages containing the form due to SEO problems ( this is what the client claims ).

Why not? Again I think your client is telling you lies or has no idea what s/he is talking about.
On said page you simply do a 301 redirect from http to https (although it's best that you update all links to that page to have https to minimise the number of required redirects and to stop the bots constantly crawling the http version). All other pages do a 301 from https to http!
Bots can certainly crawl and index https page, it's not a problem. The problem is when pages are accessible by both http and https as this creates duplicate content issues.
So, so long as you ensure that pages are only accessible by one, and that you 301 redirect from the incorrect to the correct, you won't have a problem!!!