Mixed content is when a page served over https pulls in a resource over plain http. The page itself is secure, but a script, a stylesheet, an image or an iframe on it is not. The browser cannot promise the page is safe when part of it arrives over an unprotected connection, so it steps in.
Active is blocked, passive is flagged
How the browser reacts depends on what the resource is. Active resources, scripts, stylesheets and iframes, can change the whole page, so browsers block them outright. The script never runs, the stylesheet never loads, and the page renders broken, often with no visible error. Passive resources, images and media, cannot rewrite the page, so browsers let them through for now but mark the page as not fully secure, and they are increasingly upgraded to https or blocked too.
Why it matters
A blocked stylesheet or script is not a security footnote, it is a broken page: the layout collapses or a feature silently stops working, and neither you nor a crawler is told why. On the trust side, a not-secure warning undermines the one thing https was there to signal. A machine reader that fetches the raw html sees the http reference just as a browser does.
The fix
Serve every subresource over https. Change each http:// URL to https://, or make it protocol relative with a leading // so it follows the page. If a third party asset is only available over http, host your own https copy or drop it. Run the Audit to list the exact resources, and see forms that submit over http for the related case where it is a form action, not a subresource.