I can think of four fixes:-
Doing option 3 seems appropriate, but it doesn't help script writers using other http.lua functions such as get or head. Option 1 seems like the right thing to do, except that it arguably violates the principle of least surprise. Options 2 and 4 are probably not the appropriate places to solve this problem.
Fixes #212 http.get_url with https