Oneboxed http link causes a TLS mixed content warning

When someone posts a http link in their post and it gets oneboxed, this triggers a TLS mixed content warning (and the browser no longer displays the page as secure)

This issue has been discussed in a number of topics (see end of post) and I gather from these discussions (especially https://meta.discourse.org/t/download-images-for-oneboxes-as-well-if-download-images-is-set/21103/) that this is a complex issue to resolve. I understand that a workaround is indent those insecure urls to make sure they don’t get oneboxed. (But this is not something to explain to the average user, especially if we want to simultaneously teach them to use oneboxes.)

What I don’t understand is what the current state of affairs is regarding this. Is this on the roadmap? Is it ultimately not fixable? Is there something the individual site-admin can do?

I believe that this topic reflects the latest state of the discussion but is seems inconclusive too:

https://meta.discourse.org/t/download-images-for-oneboxes-as-well-if-download-images-is-set/21103/

So, beyond the technical debate: what can/should site-admins do about this?

Previous discussions of this issue:

https://meta.discourse.org/t/dont-load-http-onebox-images-when-using-https/27530

You would need to mirror the entire http content somewhere as https, which is wildly out of scope for our project.

I’m confused on the workaround here. If the original content is HTTPS should there still need to be an “indent” before including?

If so, what kind of “indent” is it?

If the original content is HTTPS there is nothing to do, a link will get oneboxed just fine.

For HTTP we have a open PR pending a test that will get merged soonish.

Duplicate of Download images for oneboxes as well, if download images is set