I have an e-commerce site where the login page contains a custom login form along with a fboauth based facebook connect button. Logging in through facebook only works on either HTTP or HTTPS. If we generally prefer use of HTTPS for login purposes, we have to go with that when configuring the Facebook app. For normal page requests we do however want to avoid serving HTTPS, due to heavier load, so we only redirect users to HTTPS once they hit for an example /user or the checkout process.
When Modal forms is used for login links, you will in this scenario run into issues if the user clicks a login link in the main navigation which opens the login form in a modal... and the user then attempts to connect through Facebook (which is set up to support HTTPS). Facebook's server will not be too pleased, and throws a nasty 500 internal error.
The simple solution to this is to allow administrators to disable Modal forms activation for "insecure" pages. This will send non-HTTPS users to the normal page containing the form in question - where you can have a module such as securelogin secure the form (redirect to the HTTPS version). If you on the other hand have a page which is redirected to HTTPS by default, like a checkout page would typically be, any login links (and other supported links) within that page can still open in a modal and prevent the user being redirected away from the page. It's a fairly OK compromise for anyone wanting to run mixed protocols, imo.