Mixing HTTP and HTTPS contents

This webpage mixes HTTP and HTTPS content: it loads two scripts which pop-up alert windows, one is loaded with HTTP and the other with HTTPS, and it includes two frame from xkcd, the left one with http and the right one with https.

Load this page with a httpS url https://www.cs.ru.nl/~erikpoll/websec/demo/mixed_content.html and a http url https://www.cs.ru.nl/~erikpoll/websec/demo/mixed_content.html and look for the difference. Also look at differences in the address bar of your browser.

You can use it to see how your browser responds to mixed content: most browsers should issue warnings. Try loading this page through HTTP and then through HTTPS to see the difference. If you load it through HTTPS, your browser may refuse to include the HTTP content (i.e. the first popup and the subpage) and display a warning in the location bar.

You may also notice that your browser offers the possibility to block all these pop-up windows.

Below we include the subpage in an iframe, which is loaded with HTTP. If the current page is loaded via HTTPS, then this subpage should not load. (Why?)