This was only done for HTTPS-requests, but it turns out this breaks
mixed HTTP/HTTPS configurations, because browser do not store a separate
cookie for HTTP and HTTPS. So when you access the HTTPS version of a
site, the cookie is set as secure (https only) and subsequent HTTP
request will simply not get the cookie at all and cannot change the
cookie into non-secure either.
So this protection can only be enabled again when we know a site is
HTTPS-only, i.e. when #247 is implemented.
This was only done for HTTPS-requests, but it turns out this breaks mixed HTTP/HTTPS configurations, because browser do not store a separate cookie for HTTP and HTTPS. So when you access the HTTPS version of a site, the cookie is set as secure (https only) and subsequent HTTP request will simply not get the cookie at all and cannot change the cookie into non-secure either.
So this protection can only be enabled again when we know a site is HTTPS-only, i.e. when #247 is implemented.