Firstly - apologies if this is posted in the wrong place.
1. A concise explanation of the problem you’re experiencing.
Notice both the https -> http downgrade, and the usage of a raw IP address.
Relevant info in the response:
Status Code: 302 Found
A side effect of this is that since it downgrades from https to http, the certificate chain no longer exists, so the user cannot verify that the page is being hosted by cesium, or is not otherwise hijacked.
2. A minimal code example. If you’ve found a bug, this helps us reproduce and repair it.
This issue may exist for other pages, but this has not been investigated.
3. Context. Why do you need to do this? We might know a better way to accomplish your goal.
I want to upload files to the converter without them being viewed in plaintext by a third-party observer.
I want to know that the page I’m viewing has not been hijacked.
Implementing HTTP Strict Transport Security headers on the server would be nice, to ensure that an http downgrade will be rejected by the browser.