Closed
Description
If a user navigates to http://example.com/
(insecure), and receives Content-Security-Policy: upgrade-insecure-requests
as a response header, her client should behave as though it received a redirect response to https://example.com/
.
This would remove the necessity for sending a positive Prefer: return=secure-representation
signal on insecure navigations, as the server can simply opt-in on insecure responses.
Without thinking about it too hard, this seems clever. :)