Mixed content occurs when an HTTPS page references an http:// resource. Browsers split this into two categories: active mixed content (scripts, stylesheets, iframes, fetch/XHR) is BLOCKED outright by every modern browser because the attacker could inject malicious code; passive mixed content (images, audio, video) is allowed but flagged in DevTools.
The common cause is hard-coded http:// URLs in templates, CDN configurations, or third-party embeds left over from pre-HTTPS days. Find them by opening DevTools' Console + Security tab on a known page; both surface a mixed-content warning per offending resource.
Fix by changing the URL to https:// (most CDNs + image hosts have served HTTPS for years) or to the protocol-relative form //cdn.example.com/asset.js (which uses whatever protocol the parent page uses).