Here is the complete webpage my unsecured form appears on as generated by paypal:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns:ns1="og" lang="en" xmlns="http://www.w3.org/1999/xhtml" ns1:xmlns="http://ogp.me/ns#"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<!--
         Script info: script: merchantpaymentweb, cmd: _flow, template: xpt/Checkout/wps/Redirect, date: Jan 26, 2013 12:44:22 PST; country: US, language: en_US, xslt server: 
		web version: 98.0-5060305 branch: ed6ef1e626ad36c6a8bf098b92b642da0405faba
		content version: -
		pexml version: 98.0-5060296
		page XSL: Checkout/default/en_US/wps/Redirect.xsl
       hostname : TF42PRssk7Fx3eD7tQWWRYmQwWSAToBWrdutKWQoJvM
         rlogid : N4BCjdz6QuXpNGm8sIUgsPMqxlPKr63g8%2b7s%2fgRE7NbReDSv2haEAjGU6%2fa0AFKqTDcDygGJ5%2fs%3d_13cdafc6e7c
-->
<title>Thanks for your order - PayPal</title><meta http-equiv="refresh" content="5;url=http://7639.myhost.com/staging/shamansjoy/index.php?option=com_caddy&amp;action=paysuccess">
<!--googleoff: all-->
<meta name="description" content="PayPal is the safer, easier way to pay online without revealing your credit card number.">
<!--googleon: all-->
<meta http-equiv="X-UA-Compatible" content="IE=9"><link media="screen" rel="stylesheet" type="text/css" href="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/css/core/xptdev.css"><link media="screen" rel="stylesheet" type="text/css" href="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/css/core/global.css"><link rel="stylesheet" type="text/css" href="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/Checkout/css/checkout.css">
<!--[if lte IE 9]><link media="screen" rel="stylesheet" type="text/css" href="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/Checkout/css/ie.css"><![endif]-->
<link rel="stylesheet" type="text/css" href="https://www.sandbox.paypal.com/css/sandbox.css"><style type="text/css" id="antiClickjack">body{display:none !important;}</style><script type="text/javascript">
				if (self === top) {
					var antiClickjack = document.getElementById("antiClickjack");
					antiClickjack.parentNode.removeChild(antiClickjack);
				} else {
					top.location = self.location;
				}
			</script><script type="text/javascript" src="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/js/lib/min/global.js"></script><script type="text/javascript">PAYPAL.util.lazyLoadRoot = 'https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1';</script><link rel="shortcut icon" href="https://www.sandbox.paypal.com/en_US/i/icon/pp_favicon_x.ico"><link rel="apple-touch-icon" href="https://www.sandbox.paypal.com/en_US/i/pui/apple-touch-icon.png"></head><body class="xptSandbox"><noscript><style type="text/css">body{display:block !important;}</style><p class="nonjsAlert">NOTE: Many features on the PayPal Web site require Javascript and cookies. You can enable both via your browser's preference settings.</p></noscript><div class="" id="stdpage"><div id="header"><h1 class="confidential">Shaman's Joy Test Store</h1></div><hr><div id="content"><div id="headline"><h1 class="accessAid">Thanks for your order</h1>
</div><div id="messageBox"></div><div id="main"><form method="post" id="merchantredirectform" name="merchantredirectform" action="http://7639.myhost.com/staging/shamansjoy/index.php?option=com_caddy&amp;action=paysuccess" class=""><input type="hidden" name="mc_gross" value="19.95"><input type="hidden" name="protection_eligibility" value="Ineligible"><input type="hidden" name="address_status" value="confirmed"><input type="hidden" name="item_number1" value=""><input type="hidden" name="payer_id" value="3NX4GG3FKXTA4"><input type="hidden" name="tax" value="0.00"><input type="hidden" name="address_street" value="1 Main St"><input type="hidden" name="payment_date" value="15:13:51 Feb 14, 2013 PST"><input type="hidden" name="payment_status" value="Pending"><input type="hidden" name="charset" value="windows-1252"><input type="hidden" name="address_zip" value="95131"><input type="hidden" name="mc_shipping" value="0.00"><input type="hidden" name="mc_handling" value="0.00"><input type="hidden" name="first_name" value="buyer"><input type="hidden" name="mc_fee" value="0.88"><input type="hidden" name="address_country_code" value="US"><input type="hidden" name="address_name" value="buyer beware"><input type="hidden" name="notify_version" value="3.7"><input type="hidden" name="custom" value="70"><input type="hidden" name="payer_status" value="verified"><input type="hidden" name="business" value="testad_1345151796_biz@7639.myhost.com"><input type="hidden" name="address_country" value="United States"><input type="hidden" name="num_cart_items" value="1"><input type="hidden" name="mc_handling1" value="0.00"><input type="hidden" name="address_city" value="San Jose"><input type="hidden" name="payer_email" value="testad_1345151513_per@7639.myhost.com"><input type="hidden" name="verify_sign" value="AFcWxV21C7fd0v3bYYYRCpSSRl31APWQ6iv6bpdsA3tZsF1yky.2GKww"><input type="hidden" name="mc_shipping1" value="0.00"><input type="hidden" name="tax1" value="0.00"><input type="hidden" name="txn_id" value="07U12500FA226742J"><input type="hidden" name="payment_type" value="instant"><input type="hidden" name="last_name" value="beware"><input type="hidden" name="address_state" value="CA"><input type="hidden" name="item_name1" value="Shaman's Joy Salve (Salve) 2 Ounce Jar"><input type="hidden" name="receiver_email" value="testad_1345151796_biz@7639.myhost.com"><input type="hidden" name="payment_fee" value="0.88"><input type="hidden" name="quantity1" value="1"><input type="hidden" name="receiver_id" value="FBL476UVL2PHL"><input type="hidden" name="pending_reason" value="paymentreview"><input type="hidden" name="txn_type" value="cart"><input type="hidden" name="mc_gross_1" value="19.95"><input type="hidden" name="mc_currency" value="USD"><input type="hidden" name="residence_country" value="US"><input type="hidden" name="test_ipn" value="1"><input type="hidden" name="transaction_subject" value="70"><input type="hidden" name="payment_gross" value="19.95"><div class="layout1"><div class="rounded maxWidth"><div class="top outer"></div><div class="body outer nobg clearfix"><div id="secureCheckout" class="lockLogo"><span class="spriteLogo paypallock" title="PayPal"></span></div><h2>Thanks for your order</h2><p>Your payment of $19.95 USD is complete.</p><p>You're now going back to <strong class="confidential">jane thompson's Test Store</strong>.</p><p> If you are not redirected within 10 seconds, <span class="buttonAsLink"><input type="submit" value="click here" id="merchantReturnLink" name="merchant_return_link" class=""></span>.</p><img src="https://altfarm.mediaplex.com/ad/bk/3484-16283-2054-9?MerchPayFlow=1&amp;mpuid=;1P5703642H1517524;0;USD" border="0" alt=""></div><div class="bottom outer nobg"></div></div><script type="text/javascript">
												PAYPAL.util.Event.onDomReady(					   
													function()
													{
														setTimeout("document.forms.merchantredirectform.submit()", 4000);
													}
												);
											</script></div><input name="auth" type="hidden" value="ACEXWel5vgVCbZoy39-bRP9X4mMCB9nOxRR.MfydwvyqJtmkVy8BycPPQNLG7d0fWCqUxxHpfy-DISl-n1CUHGw"></form></div></div><div id="footerhps"><p>PayPal. The safer, easier way to pay.</p><p>For more information, read our <a target="_blank" href="https://www.sandbox.paypal.com/us/cgi-bin/merchantpaymentweb?cmd=p/gen/ua/ua_pop-outside&amp;country.x=US" onClick="PAYPAL.core.openWindow(event, {width: 640, height: 300})">User Agreement</a> and <a target="_blank" href="https://www.sandbox.paypal.com/us/cgi-bin/merchantpaymentweb?cmd=p/gen/ua/policy_privacy_pop-outside&amp;country.x=US" onClick="PAYPAL.core.openWindow(event, {width: 640, height: 300})">Privacy Policy</a>.</p><div id="footerSandbox"><div id="sandboxFooter"><div class="nav-footer"></div><div id="testsite"><h1>Test Site</h1></div></div></div></div></div><script type="text/javascript" src="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/js/lib/min/widgets.js"></script>
<!-- SiteCatalyst Code
Copyright 1997-2005 Omniture, Inc.
More info available at http://www.omniture.com -->
<script type="text/javascript" src="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/js/site_catalyst/pp_jscode_paypalsandboxdev.js"></script>
<script type="text/javascript">
s.prop1="xpt/Checkout/wps/Redirect";
s.prop6="6F794158BL866512E";
s.prop7="personal";
s.prop8="verified";
s.prop9="unrestricted";
s.prop10="US";
s.prop20="1360883642";
s.prop35="in";
s.prop40="ea67dd56d0814";
s.prop50="en_US";
s.prop74="70";
s.eVar5="US";
s.eVar7="personal:verified:unrestricted";
s.eVar19="personal";
s.eVar28="tnc-0-wps-groupzero";
s.eVar31="xpt/Checkout/wps/Redirect::_flow";
s.eVar50="N4BCjdz6QuXpNGm8sIUgsPMqxlPKr63g8%2b7s%2fgRE7NbReDSv2haEAjGU6%2fa0AFKqTDcDygGJ5%2fs%3d_13cdafc6e7c";
s.pageName="xpt/Checkout/wps/Redirect::_flow";
s.prop56="no";
s.prop18="";
s.prop5="1P5703642H1517524";
s.prop16="";
s.prop34="PayPalCredit:Servicing:CO:NoTransactions";
</script>
<script type="text/javascript"><!--
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
function scOnload(){var s_code=s.t();if(s_code)document.write(s_code);}
if(window.addEventListener){
window.addEventListener('load',scOnload,false);
}else if(window.attachEvent){
window.attachEvent('onload', scOnload);
};
if(navigator.appVersion.indexOf('MSIE')>=0)document.write(unescape('%3C')+'\!-'+'-')
//-->
</script><noscript><img
src="//paypal.112.2O7.net/b/ss/paypalsandboxdev/1/H.6--NS/0?pageName=NonJavaScript"
height="1" width="1" border="0" alt="" /></noscript>
<!--/DO NOT REMOVE/-->

<!-- End SiteCatalyst Code -->
</body></html>

Hi jodyCoolness, thank you for the expanded source. There is a meta refresh back to your site (without parameters) after 5 seconds, while a script is designed to submit the form 4 seconds after the DOM of the page is complete.

<meta content="5;url=http://7639.myhost.com/staging/shamansjoy/index.php?option=com_caddy&action=paysuccess" http-equiv="refresh">

<script type="text/javascript"> PAYPAL.util.Event.onDomReady( function() { setTimeout("document.forms.merchantredirectform.submit()", 4000); } );
</script>

If there were no warning, the refresh would never run because the post will preempt the refresh. But there's no way as the website to prevent the warning from displaying.

I can't think of a good reason for the meta refresh to be in there -- if you want the form to submit in order to display all the data to the customer. There is a <noscript> block text informing the user to submit the form manually if scripting is disabled. Is there a way to get the meta refresh removed?

I seriously doubt I could persuade paypal to change anything. Your analysis is appreciated, but I distinctly see your position as biased against a mozilla solution, at least you haven't offered significant discussion concerning the split as I call it.

The paypal page is a single page. You may be right about how paypal has structured the page (I think the meta refresh tag is redundant and insignificant and as you point out will not fire), but I don't see a problem with the way other browsers process the response; it's always received as singular and monolithic.

I haven't looked into the bowels of the Joomla CMS request dispatch code, so I am not certain why responses from mozilla and safari for example, differ in how Joomla processes them.

Hi jodyCoolness, my goal here on the support forum is to look for immediate solutions or workarounds, and it sounds as though you're stuck with PayPal's page as is.

It's possible this problem is a side effect of changes made in recent years to the way dialogs work. ??

I don't know whether Firefox should always delay or disregard a scheduled refresh or other navigation if it is waiting for user input on a dialog such as the OK/Cancel for an insecure form submission. It's hard to think of the scenarios where that might come up.

You probably should go ahead and file a bug for this in Bugzilla. I haven't searched to see whether anyone has filed it before.

OK, I'll see if I can distill this conversation down and do that.

Thanks for your effort in trying to understand the problem.

In searching further about this, some users have zeroed in on how the return to your site is configured. Based on what I have read, the secure-to-insecure warning arises when you have set one of the HTML variables (rm, for Return Method) to get the payment variables returned to your site using a POST. It apparently does not arise if you have rm set to use a GET.

Since you want the payment variables, you probably have this in your form that submits the transaction to PayPal:

<input type="hidden" name="rm" value="2">

I still don't understand why the PayPal page includes both the POST form described in the documentation AND the 5-second meta refresh that ends up kicking in before you can OK the dialog. I find it hard to believe that was intentional; maybe there's a bug in the sandbox?

For reference, PayPal describes the three options for rm as follows:

0 - "all shopping cart payments use the GET method" (default)
1 - "the buyer's browser is redirected to the return URL by using the GET method, but no payment variables are included"
2 - "the buyer's browser is redirected to the return URL by using the POST method, and all payment variables are included"

Auto-return seems to always use a GET, so people reporting this has solved the problem must not miss getting the variables.