Most of the modern browser follow mixed content specification which describes how browser should handle fetching of content over unencrypted connection in the context of an encrypted document.
There are two mixed-content category defined by the mixed content specification:
- Blockable Content: Any resource that isn't optionally-blockable is blockable. e.g. scripts, plugin data, data requested via AJAX (XMLHttpRequest). These are being blocked by the browser. Most of the browser won't block the resources in mixed-content page since doing so will break the functionality of the site. Browsers may report the mixed-content but by the time browser loads the page the requests have already been made and security of the web page is compromised.
You can prevent mixed-content page from delivering by doing the following:
Embed the security policy in the element of your HTML page
By delivering a Content-Security-Policy HTTP header. e.g