A note for myself that others may find useful.
Looking at the default behaviour of common current browsers with mixed content, and with mixed content and HSTS.
IE9 - hides mixed content with a little note saying what it has done.
IE8 - offers to show only the content delivered securely. You have to choose the non-default "no" to see the unsecured content.
FF18 - warns on first visit to site with mixed content but you must tick the box for similar warnings in future. This strikes me as wrong, have I misunderstood something?
Chrome 24.mumble for Linux - displays page omitting mixed content with a little mark on the padlock. I click the padlock and the information window (which mentioned the mixed content) disappears off the top of the screen (Grr).
Impact of using HSTS on mixed content handling.
HSTS maybe implemented in websites using SSL by adding a simple header to HTTPS requests that says this site should be encrypted for the next N seconds. Browser then convert all HTTP requests into HTTPS requests for that domain transparently.
The main use case is to prevent users contacting "www.paypal.com" (no really PayPal paid for trying to fix the holes in SSL) over http, and being directed to an inappropriate insecure site because their connection or DNS has been compromised. Thus if they have used PayPal recently the browser remembers it should reconnect with SSL and if the SSL certificate is invalid it will stop (Yes HSTS means no more ignoring certificate errors).
HSTS RFC6797 Section 12.4 disallows mixed content when HSTS is in use.
IE doesn't implement HSTS yet. It has only just been formally ratified as a standard but they had hoped to include it in IE10, and I guess it may happen, probably it being a proper standard helps those inside Microsoft going "please".
Firefox 18 implements HSTS but is loading and executing jQuery from http://ajax.googleapis.com
using vanilla HTTP when visiting another site which uses a copy of jquery from there.
I read that as a failure to adhere to standard by Firefox, where as Chrome is just doing its default HTTPS behaviour. The repercussions for Firefox are not as large as one might first think, as by definition people using HSTS should not be using the http version of third party resources, and their website will probably be broken in Chrome and IE although if it were analytics or something not immediately user visible that might not be spotted.
Chrome implements HSTS and didn't load the mixed content from http://ajax.googleapis.com/
Firefox 18 can be "fixed" with visiting "about:config" and changing these two settings to "true".
These apply without HSTS as well. But unless these are the default only geeks like me are going to do that, and we are probably the lower end of the risk spectrum as far as being caught by this sort of thing, also these should be active when HSTS is active:
Firefox and Chrome both have pre-seeded lists of domains that are using HSTS (including PayPal.com), so when you see PayPal.com in your browser you can be confident it is protected by SSL. A lot of work for a modest security gain, on the otherhand my online bank doesn't yet use HSTS, and isn't preseeded in the browsers, and users are sent from the main bank page delivered using http to the secure site (sigh).
For completeness I should have looked at handling of certificate errors in Firefox with HSTS enabled, but that one answers my question, and certificate errors are evil and show a careless regard in handling cryptographic material.
Microsoft Ireland provide a handy mixed content test page. Thanks Guys.