The title says it all. If I use an API from a non-SSL website, do I know I will I get a mixed content error from browsers? That is, is a mixed-content error for that case what the relevant standards require browsers to do?
Yes you will get a mixed-content error. Any insecure context request/response is mixed content:
A request is mixed content if its url is not a priori authenticated, and the context responsible for loading it requires prohibits mixed security contexts.
A response is mixed content if it is an unauthenticated response, and the context responsible for loading it requires prohibits mixed security contexts.
The and the context responsible for loading it requires prohibits mixed security contexts just means the requesting context is secure context—basically, a document with an https origin.
See also the Active content examples section of the MDN Mixed content article:
<script> (src attribute)<link> (href attribute) (this includes CSS stylesheets)<iframe> (src attribute)XMLHttpRequest requests@font-face, cursor, background-image, and so forth).<object> (data attribute)Notice that the list includes XMLHttpRequest requests. (It should be updated to also include fetch() requests).
See also the example at https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content#an_xmlhttprequest_example