I had this same problem a while back. rnd_me is correct.
When you want users to browse securely (via https)... every single image, script, or anything that loads on the page must be under the same exact domain, or browsers will deem the page unsecure and the https will be crossed out or removed in the address bar (or a message may pop up, depending on the browser).
Like I mentioned, even an image can do this. For instance, if your secure page URL is
... the image element must
look like this:
It cannot be: