Thanks, CRO. I'm using /*.jpg and /*.css unless you think that is even less secure.
regarding my other question:
ec_insecure_context_bar_ws_and_index is an alternate to ad_context_bar that converts relative https links to http. Unfortunately it is not working for this install, apparently something in ec_insecurelink is not choosing to convert to the http version. Since this is working, will leave it to a rainy day to fix.