dotnet · rmkerr · Feb 20, 2018 · Feb 9, 2018 · Feb 10, 2018 · Feb 13, 2018
diff --git a/src/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs b/src/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs
@@ -888,6 +888,16 @@ private async void StartRequest(WinHttpRequestState state)
 
                 HttpResponseMessage responseMessage = WinHttpResponseParser.CreateResponseMessage(state, _doManualDecompressionCheck);
                 state.Tcs.TrySetResult(responseMessage);
+
+                // HttpStatusCode cast is needed for 308 Moved Permenantly, which we support but is not included in NetStandard status codes.
+                if (WinHttpTraceHelper.IsTraceEnabled() &&
+                    ((responseMessage.StatusCode >= HttpStatusCode.MultipleChoices && responseMessage.StatusCode <= HttpStatusCode.SeeOther) ||
+                     (responseMessage.StatusCode >= HttpStatusCode.RedirectKeepVerb && responseMessage.StatusCode <= (HttpStatusCode)308)) &&
+                    state.RequestMessage.RequestUri.Scheme == Uri.UriSchemeHttps && responseMessage.Headers.Location?.Scheme == Uri.UriSchemeHttp)
+                {
+                    WinHttpTraceHelper.Trace("WinHttpHandler.SendAsync: Insecure https to http redirect from {0} to {1} blocked.",
+                        state.RequestMessage.RequestUri.ToString(), responseMessage.Headers.Location.ToString());
+                }
             }
             catch (Exception ex)
             {

diff --git a/src/System.Net.Http/src/System/Net/Http/CurlHandler/CurlHandler.EasyRequest.cs b/src/System.Net.Http/src/System/Net/Http/CurlHandler/CurlHandler.EasyRequest.cs
@@ -370,6 +370,11 @@ internal void SetPossibleRedirectForLocationHeader(string location)
                     {
                         SetCookieOption(newUri);
                     }
+
+                    if (newUri.Scheme == Uri.UriSchemeHttp && _requestMessage.RequestUri.Scheme == Uri.UriSchemeHttps)
+                    {
+                        EventSourceTrace("Insecure https to http redirect: {0}", (_requestMessage.RequestUri, newUri));
+                    }
                 }
 
                 // Set up the new credentials, either for the new Uri if we were able to get it, 

diff --git a/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticateAndRedirectHandler.cs b/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/AuthenticateAndRedirectHandler.cs
@@ -132,6 +132,10 @@ await AuthenticationHelper.TrySetDigestAuthToken(request, currentCredential, dig
                     (HttpUtilities.IsSupportedSecureScheme(request.RequestUri.Scheme) && HttpUtilities.IsSupportedSecureScheme(location.Scheme));
                 if (!allowed)
                 {
+                    if (NetEventSource.IsEnabled)
+                    {
+                        NetEventSource.Info(this, $"Insecure https to http redirect from {request.RequestUri} to {location} blocked.");
+                    }
                     break;
                 }