This site https://www.wormatlas.org/SW/SW.php/ was working fine under http and now that it's https, the flash is not fully working. When you click the arrows, it should not only navigate the slidable worm, but also change the picture.
There were hardcoded references to http and I changed every local href so that it refers to the root of the site, but that had no effect. I also added a crossdomain.xml to the root directory in case there hidden references. The file is as follows
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="false"/>
But this also make no difference.
It's not quite clear why on Firefox, it says there are references to insecure content.
The same thing happens in Chrome, but it also gives (in the page inspector) a detailed report identifying http URLs (many) that it has ignored, and a number of 404 errors.
Don't know how you got Chrome to load activate Flash; control-click ignores me. I can see http urls being generated from within Firefox but the question is where it is getting http from. I load the page with https. Everything is a root relative reference. Something is switching the context.
There are http references embedded in various swf files. I used an Apache rewrite rule to fix it.