The three previous answers all mention the problem of a secured “https” page trying to include scripts or other resources (stylesheets, images, etc) from an “http” path…
I would like to add to these, and note that if you have a situation where the same pages could be loaded via either http or https, then you can create “protocol-less” URLs—the protocol will be assumed to be the same as the current page. Note this is only needed for accessing resources on different domains (and will only work if those different domains support both http and https), because obviously if you’re accessing resources on the same domain, you don’t need to start with http:// at all…
For example, each of these three resources would assume either http or https depending on how the current page was accessed:
<script src="https://www.example.com/whatever.js" type="text/javascript"></script>
<img src="https://www.example.com/someimage.png" alt="whatever" />
<link href="https://www.example.com/styles.css" rel="stylesheet" />