When someone posts a http link in their post and it gets oneboxed, this triggers a TLS mixed content warning (and the browser no longer displays the page as secure)
This issue has been discussed in a number of topics (see end of post) and I gather from these discussions (especially https://meta.discourse.org/t/download-images-for-oneboxes-as-well-if-download-images-is-set/21103/) that this is a complex issue to resolve. I understand that a workaround is indent those insecure urls to make sure they don’t get oneboxed. (But this is not something to explain to the average user, especially if we want to simultaneously teach them to use oneboxes.)
What I don’t understand is what the current state of affairs is regarding this. Is this on the roadmap? Is it ultimately not fixable? Is there something the individual site-admin can do?
I believe that this topic reflects the latest state of the discussion but is seems inconclusive too: