A mixed-content is when a resource is loaded with the HTTP protocol, from a website accessed with the HTTPs protocol, thus mixed-content are not encrypted and exposed to https://en.wikipedia.org/wiki/Man-in-the-middle_attack[MITM attacks] and could break the entire level of protection that was desired by implementing encryption with the HTTPs protocol.


The main threat with mixed-content is not only the confidentiality of resources but the whole website integrity:

* A passive mixed-content (eg: _<img src="http://example.com/picture.png">_) allows an attacker to access and replace only these resources, like images, with malicious ones that could lead to successful phishing attacks.
* With active mixed-content (eg: _<script src="http://example.com/library.js">_) an attacker can compromise the entire website by injecting malicious javascript code for example (accessing and modifying the DOM, steal cookies, etc).