I have a web app hosted via HTTPS that is trying to load basemaps (or cached map services from a Data Appliance) from a different ArcGIS Server that does not have SSL enabled (and which I don't control).
I thought tile images were inactive content and I would not be getting "Blocked loading mixed active content ..." errors in my app, but I am getting that error on load due to an apparent API query of the map service!
Can that query ("http://<server>/arcgis/rest/services/World_Topo_Map/MapServer/f=json") be disabled or mitigated somehow? It is unlikely I can influence the server admins to enable SSL, so using HTTPS is not an option.
This is a browser restriction; you cannot make an unsecured request from a secured page in most (if not all) modern browsers.
You can bypass this issue by using a proxy (see link below) hosted on your secure server, however this defeats the purpose of having a secured application and is therefore not suggested. Whenever you add non secure content to a secured page, the page becomes unsecured for all intents and purposes.
Otherwise, the only other option is to remove SSL from your site or not use that service.
I am very familiar with the security issue (unfortunately). My question was about preventing the API from launching a query (i.e. active content) against a map service only used for basemap image tiles. Image tiles are inactive content, so I assumed the mixed active content security violation would not come up. But it does come up because of those map service queries that I wasn't expecting.
Luckily the esri/layers/WebTiledLayer class is does not launch any queries against the map service, so I am going to switch to that layer type.