There is no decision. Modern browsers will refuse to use resources other than https on pages served by https, because you are actually undermining the https security model in this way. CSP will not help, because it does not fix the problem. Your only choice is to either serve the site via http or a proxy server, including external sites that do not contain https, on your own site. But keep in mind that the latter option may affect the security model, since now these external resources are considered to come from the same domain as your own content, and therefore can abuse the same origin policy.