(Security) 302 redirects to plain HTTP site still have padlock icon

gp

Steps to reproduce:

It appears that there is a bug in the visual indication of HTTPS (padlock in location bar) status after a redirect via Location header (within the same origin). A non-HTTPS site continues to have the padlock icon (and certificate info when clicking it), despite the page being served without HTTPS.

The symptom:

A trace of the redirect:

Orion knows the page was served up insecurely (via dev tools):

This redirect takes place without any notable visual warning, and the padlock icon remains. I've only tested it within origin (i.e. where https://auth.dev.<whatever> redirects to http://auth.dev.<whatever>, but I imagine the bug could affect cross-origin redirects.

Expected behavior:
At minimum, the padlock icon should disappear, and whatever icon is used for "insecure site" (in future I guess) should be shown. Given how widespread HTTPS is, that should be safe.

More likely, the padlock icon should disappear, and the user should see a major security error warning to alert them to this downgrade via a redirect?

Safari doesn't have a full-page intersitial, but does spot the issue and alert via the URL bar.

Orion, OS version; hardware type:
Version 0.99.110-beta (WebKit 613.1.12) on 12.1 release (21C52)

jei4

For me this also happens on just a plain link without 301 or 302 redirect. Maybe because I also have something running via HTTPS on Port 443. But another webserver serving plain HTTP on another (non-standard) port on the same host still shows the secure lock icon.