Created attachment 280540 [details] Redirect and upgrade flow Apologies if this is not truly a bug yet, but wanted to document this as work on upgrade-insecure-requests (UIR) progresses. It is entirely possible that after [158388](https://bugs.webkit.org/show_bug.cgi?id=158388) is resolved, this will be a moot point. It is possible that when URI's are upgraded via UIR and redirected to an HTTP URI, the resource is not upgraded (see attachment for clarity). We need to ensure that UIR handles this case. At present, I cannot validate whether this bug exists or not due to #158388. To reproduce: 1. Generate a page with the following CSP header: `default-src https:; upgrade-insecure-requests` 2. Create a HTML page, protected by the CSP in step1, that contains an `img` tag with a `src` attribute pointing to an HTTP asset (request A), that can successfully be upgraded to an HTTPS (request B) asset via `upgrade-insecure-requests`. This HTTPS asset should then redirect, via the server, to an HTTP asset (request C). Note that this HTTP asset should work as an HTTP or HTTPS request, but the redirect should specifically be to the HTTP version of the asset. 3. Load the page. Expected behavior: It is expected that the request C should be upgraded to an HTTPS request via `upgrade-insecure-requests`. What happened: Request C is not upgraded via `upgrade-insecure-requests` and subsequently blocked by the `default-src https:` CSP directive: [Error] Unrecognized Content-Security-Policy directive 'upgrade-insecure-requests'. Refused to load the image 'http://placeholdit.imgix.net/~text?txtsize=33&txt=350%C3%97150&w=350&h=150' because it violates the following Content Security Policy directive: "default-src https:". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback. In Firefox, on Nightly and Stable, the upgrade works. I get the following Console output: Content Security Policy: Upgrading insecure request 'http://domain.com/asset.png' to use 'https' Content Security Policy: Upgrading insecure request 'http://domain.com/redirected.png' to use 'https' I've also filed this bug in Chrome as the bug exists there as well and Mike West indicated that it was a bug.