[MIX]: User agents MAY screw with requests for mixed content.

specs/mixedcontent/index.src.html

@@ -544,6 +544,14 @@ <h3 id="requirements-fetching">Resource Fetching</h3>
         <code>Strict-Transport-Security</code> header field as forcing all
         content into the <a>active</a> category. [[RFC6797]]
       </li>
+      <li>
+        <a>Requests</a> for <a>optionally blockable passive</a> resources which
+        are <a>mixed content</a>, but which are <strong>not</strong> treated
+        as <a>active content</a> MAY be modified to reduce the risk to users.
+        For example, cookies and other authentication tokens could be stripped
+        from the requests, or the user agent could automatically change the
+        protocol of the requested URL to <code>HTTPS</code> in certain cases.
+      </li>
     </ol>
 
     The <a section href="#fetch-integration"></a> and