In step 3 of the "Starting a presentation" algorithm, it only defined the behavior if one presentation URL is assigned. Below are the two possible solutions:

1. If the result of the algorithm is "Prohibits Mixed Security Contexts" and any of the presentationUrls is an a priori unauthenticated URL, then return a Promise rejected with a SecurityError and abort these steps
2. If the result of the algorithm is "Prohibits Mixed Security Contexts" and all of the presentationUrls are a priori unauthenticated URL, then return a Promise rejected with a SecurityError and abort these steps. Otherwise exclude those URLs that are a priori unauthenticated URL from presentationUrls and continue the algorithm.

BTW, we need to sync the description of mixed security context check in section 6.4.3 "Getting the presentation displays availability information" as well.

Thanks for pointing this out @schien.

I think it might be unexpected behavior if some URLs were allowed to continue in the algorithm and others are not; the order matters. I'm going to prepare a PR to implement your suggestion 1 and address your second comment as well.