Do not mix content from secure and unsecured location, it’s the same as mixing beer and vodka and hoping for the best. Whether you use HTTPS and include all resources from secure location or stay on HTTP.
Modern web browsers are very well trained to warn you when web page is trying to load something from unsecured location. The scripts and style sheets are blocked by default, but images and other passive content are allowed to load with appropriate warnings.
That’s why I’ve created tool: nomixedcontent to crawl web pages on specific domain and list all mixed content issues.
The tool is a Python script which recursively scan web pages for predefined depth level and trying to identify resources that loaded through HTTP protocol. The following HTML elements are checked for mixed content: