Our HTTPS by Default feature describes the default setting for HTTPS upgrades as "Upgrade connections to HTTPS". However, this is technically inaccurate since the feature only applies for mainframe navigations (in the top-level context.) It doesn't apply for subresource requests, so not all connections are actually upgraded to HTTPS.
Note: For subresources, we try to upgrade passive mixed content (e.g. images, other media) on a secure page and block the resource if the upgrade fails, and we outright block insecure active mixed content (e.g. scripts) on a secure page. This behaviour is not affected by the HTTPS by Default toggle.
Steps to reproduce
Open Shields panel or go to brave://settings/shields and check out the HTTPS upgrades feature toggle
Description
Our HTTPS by Default feature describes the default setting for HTTPS upgrades as "Upgrade connections to HTTPS". However, this is technically inaccurate since the feature only applies for mainframe navigations (in the top-level context.) It doesn't apply for subresource requests, so not all connections are actually upgraded to HTTPS.
Note: For subresources, we try to upgrade passive mixed content (e.g. images, other media) on a secure page and block the resource if the upgrade fails, and we outright block insecure active mixed content (e.g. scripts) on a secure page. This behaviour is not affected by the HTTPS by Default toggle.
Steps to reproduce
Open Shields panel or go to brave://settings/shields and check out the HTTPS upgrades feature toggle
Actual result
See the text mentioned above
Expected result
Some text that is more accurate
Reproduces how often
Easily reproduced
Desktop Brave version (brave://version info)
All
Android device
All
Channel information
Reproducibility
Miscellaneous information
No response