A couple of thoughts:
- The https credential should not be provided to an http page. The other way around is fine.
- I am not sure whether we want to do PSL matching here. For password forms, we do that only after the user manually confirmed that the credentials should be filled.

What do others think?

This seems to be a feature request. Hence, marking it as untriaged for further inputs from dev team.
Thanks...!!

I agree with #2. We should follow:
* HTTP => HTTPS filling, but not vice versa. 
* PSL matching filling only after user action. 

Adding vabr@ as he worked on HTTP Auth, AFAIK.

Unlike HTML forms, HTTP auth challenges have signon realm beyond just the origin. So where an HTML form is identified by the scheme, hostname and port, an HTTP auth challenge has scheme, hostname, port and a free-text string to be matched against the signon realm of the stored credentials.

If we want to do PSL matching (e.g., considering pairs as a.google.com and b.google.com as related) we still need to maintain that the scheme, port and the free-text string need to match.

As for scheme restrictions: I agree that we should never fill a https:-stored credential into a http:-issued auth challenge. I disagree that the other way round is OK -- see https://docs.google.com/document/d/1ei3PcUNMdgmSKaWSb-A4KhowLXaBMFxDdt5hvU_0YY8/edit#heading=h.bdtrfv54n08k (@chromium.org and @google.com accounts only) and  bug 571580  where we put a lot of care to avoid unrestricted filling of http: credentials on https: sites. The one-off migration from http: to https: should work on HTTP auth credentials, and if it does not, we should fix it.

vabr going hobby only -> reducing involvement.
Please contact me directly in urgent matters.