A non-secure Fetch might be allowed by Mixed Content
A non-secure(HTTP) fetch might be allowed on secure(HTTPS) page if the fetch origin is localhost or 127.0.0.1.
Note that, a regular script, style, image, video resource would still be blocked.
I always believed that HTTP requests would be blocked on the HTTPS page, but the algorithm is much more complex.
I stumbled upon this on the Apollo GraphQL setup page which connects with the local GraphQL server over HTTP.
References:
https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy
... Loading comments