Hm, well, I think I need to give a little more detail...
My API returns something like this:
So, the first problem is, I'm serving files.
Second, they're under a static domain which is not the same as my app. The app is running under my-app.domain.com for example.
So this is not valid:
I have client apps running under http and https but right now if and https app uses my service it can't just render "http://static.mydomain.com/some-file.pdf" on a webpage because the browser will block the file, considering it an unsafe content.