HTTPS to HTTP JSONP request
An apache proxy will make a request to the endpoint on your behalf. You can even have non-jsonp requests to a service (json, xml, images, post, put, delete, etc) because the browser thinks it's doing the request to the same domain.
Your non.secure.site vhost file would contain something like
ProxyRequests OffProxyPreserveHost On <Proxy *> Allow from all</Proxy>ProxyPass /appspot https://production.appspot.com/ProxyPassReverse /appspot https://production.appspot.com/
Once you set it up you just call the service like...
http://non.secure.site/appspot/service?jsonCallback=jsonp1331132928704
Google proxypass for more info
https://serverfault.com/questions/429404/help-me-understand-how-to-use-proxypass
If you have no other option but using that not secured 3rd-party API you can think about MITM that API yourself.
Create a server side script that will be accessed only through SSL and will act as a proxy or a forwarder between your tag and the API. That way you can increase security by doing your own checks and validations on the data, and because you'll serve it under SSL you won't get any "Mixed Content" errors.
BTW, I haven't tested it there's always the chance that sites under Google certificate served from GAE will act differently.
Hope I could help.
I got the same issue for doing same stuff between http and https. It is a cross domain issue.
The most important thing you need is the server side page you are using for doing curl has to set some headers for allowing http to https connection. This are below....
header("Access-Control-Allow-Origin: your https url");header("Access-Control-Allow-Methods: POST, GET");header("Access-Control-Max-Age: 1728000");header("Access-Control-Allow-Headers: Content-Type, Connection, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control");header("Connection: close");