Disable HTTPS upgrade?

Yeah, modern web security is based on "origin" (basically a tuple of scheme, port and host) which is generally sensible, but cookies were invented long before that and can't be fixed because of backward compatibility requirements. If you want to properly isolate sites then they can't even be on different subdomains of the same domain - they must be completely different domains, up to a suffix listed in the Public Suffix List (.com, .co.uk, .github.io, etc). And definitely don't try to isolate them just by port. It's a bad design, but it is what it is.

(Or as RFC6265 puts it: "For historical reasons, cookies contain a number of security and privacy infelicities.")