Trailing-slash 301 redirects downgrade https:// to http://

[alexskr]

Summary

A request to an HTTPS URL with a trailing slash (e.g. /paths_to_root/) gets a 301 Moved Permanently whose Location: points at the same path without the trailing slash, but with the scheme rewritten to http://. Browsers block the redirect as mixed content, so the call fails.

Reproduction

With trailing slash — 301 to http:

$ curl -sI "https://stagedata.bioontology.org/ontologies/STY/classes/http%3A%2F%2Fpurl.bioontology.org%2Fontology%2FSTY%2FT071/paths_to_root/?apikey=<KEY>"
HTTP/1.1 301 Moved Permanently
location: http://stagedata.bioontology.org/ontologies/STY/classes/http%3A%2F%2Fpurl.bioontology.org%2Fontology%2FSTY%2FT071/paths_to_root

Without trailing slash — 200 OK:

$ curl -sI "https://stagedata.bioontology.org/ontologies/STY/classes/http%3A%2F%2Fpurl.bioontology.org%2Fontology%2FSTY%2FT071/paths_to_root?apikey=<KEY>"
HTTP/1.1 200 OK

Same behavior on production (data.bioontology.org). Not specific to paths_to_root — any endpoint hit with a trailing slash before the query string.

Expected

The 301's Location: preserves the request scheme: https://… in, https://… out. (Or drop the redirect entirely and accept both …/path and …/path/.)

Impact

The embedded biomixer visualization on https://bioportal.bioontology.org and https://stage.bioontology.org calls /paths_to_root/ (trailing slash). Every call is blocked by the browser:

Mixed Content: The page at 'https://stage.bioontology.org/ontologies/STY' was loaded over HTTPS,
but requested an insecure XMLHttpRequest endpoint
'http://stagedata.bioontology.org/ontologies/STY/classes/.../paths_to_root'.
This request has been blocked; the content must be served over HTTPS.

Any HTTPS browser client that emits trailing-slashed URLs is affected.
AnnotatorPlus may also be impacted.