Solution: comment tag
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
CPS set upgrade-insecure-requests role is to allow the browser to automatically upgrade request.
Was added in response to the first server:
header("Content-Security-Policy:upgrade-insecure-requests");
Our page is https, but in this http page contains a lot of resources (images, iframe, etc.), page once found the presence of the response headers will be automatically replaced with https http request load resources.