Is http://nonsecure.form.xyz.org and https://secure.form.xyz.org a different domain? I ask about this because my javascript in safe cannot call it parent. The secure domain is inside the unsecured domain through an iframe.
EDIT
Conclusion
You can execute cross-domain scripts, but you cannot execute cross-protocol scripts (for example, https and http)
What you can do here is set document.domain = "form.xyz.org" on both sides before attempting to execute cross-domain scripts.
document.domain = "form.xyz.org"
However, you cannot cross-script between different protocols.