Just to be clear, I think the bug is that the page is going to the http version instead of https.

I confirm #1

Tested the issue in Android and could reproduce the issue.

Steps Followed:
1. Launched Chrome .
2. Navigated to demotywatory.pl or joemonster.org
3. Observed the pages are loading as m.demotywatory.pl or m.joemonster.org

Chrome versions tested:
65.0.3306.0

OS
Android 7.0.0

Android Devices
7.0.0; SM- J710F Build/NRD90M

Considering this issue as Non-Regression issue as observing same behavior since older builds.

Please navigate to below link for log's and video--
go/chrome-androidlogs/798051

Thanks!!

I see the same behavior with Firefox. Can you tell me why you expect "User is redirected to https://m.demotywatory.pl or https://m.joemonster.org"? Isn't this caused by server-settings?

"Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web" - I see here "safer" word

"One fast, simple, and secure browser for all your devices" - this is about Chrome, I see here "secure" word

Additionally I read Chrome blog, where are mentioned many initiatives for using or switching to the https (for example https://security.googleblog.com/2017/09/broadening-hsts-to-secure-more-of-web.html).

As end user I see that some sites are redirected to non-secure http mobile version although could be redirected to https mobile version.

As person non-working for Google I don't have always time for investigating and that's why I reporting some things to specialists.

Is it because of site config or is it because of Chrome bug? What can be done about this?

These questions should be addressed by team working on adequate parts of code and because of Google spirit I assume, that issue should be somehow resolved (in worst case whitelist could be created) and I should see here technical answers instead of questions from #5.

PS. I don't care right now about Firefox behavior, I'm reporting it to Chrome, which is advertised as best solution.

On top of #5 and #6 I've got question: why I shouldn't expect "User is redirected to https://m.demotywatory.pl or https://m.joemonster.org" ?

Is there technical reason not for doing it ?

Another example: chip.pl -> www.chip.pl (could be redirected to the https://www.chip.pl)

demotywatory.pl when requested with a mobile User-Agent returns the following response headers:

Cache-Control:private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
CF-RAY:3dbd187a75f045e4-TPE
Connection:keep-alive
Date:Fri, 12 Jan 2018 03:40:39 GMT
Expires:Thu, 01 Jan 1970 00:00:01 GMT
Location:http://m.demotywatory.pl/
Server:cloudflare
Transfer-Encoding:chunked

Note that the Location: header specifically requests the http version of the site.

The same is true of joemonster.org and chip.pl. Chrome will not redirect to the https version unless the site requests it. One reason for this is that it would be a standards violation and incompatible with other browsers; another reason is that some sites have an HTTPS server running which serves different content or doesn't work at all.

There is a popular chrome extension "HTTPS Everywhere" https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp which automatically redirects sites that are known to have a working HTTPS version. It currently doesn't know about any of the sites mentioned in this issue; however there are instructions at https://www.eff.org/https-everywhere/rulesets for how to add sites to the database.

We're discussing here Android without such possibilities like provided by "HTTPS Everywhere", can we have white-list or something?