This site runs on CloudFlare, as the host isn’t 100% reliable; the quickest way to see that is from the SSL Certificate. Alas, it is also this injected process and certificate that prompted some insecure content to be displayed. It’s nice to see browsers handle mixed content better, but unfortunately that mixed content consisted of all the graphics and stylesheets. ‘Flexible SSL’ means that CloudFlare was requesting HTTP data then masquerading it as HTTPS.
However all of my sites are already encrypted using LetsEncrypt, a new Certificate Authority that relies on automated renewal. Traditionally, free SSL meant the time period was short or the certificate wasn’t trusted; the longest validity was StartSSL’s 1 year certificate (not a bad certificate, but limited trust). LetsEncrypt certificates are short, but the auto-renewal negates this issue. Letting CloudFlare know this (Full / Full (Strict)) fixed the issues.