I need clarification about submitting form data to a secure server. My current paradigm is that in order to submit form data securely, you need to be submitting from a page hosted on a secure server, such as https://domain.com, and submitting to a page on that server.
But I just went to a website that claims that, "The form is submitted using an HTTPS form action. All sensitive data is encrypted before transmission and is never sent as clear-text." The page the form is on does not appear to on a secure server, that is, the URL looks like http://domain.com/form.html. I looked at the source code, and the form is posting to a secure server, action="https://secure.domain.com/gateway.
Is this arrangement possible? It would seem that you couldn't establish an encryption scheme until after you have arrived at a page on the secure server. Would this arrangement cause any kind of warning message when a form is submitted?