Disable HTTPS upgrade?

This is the web, not some NIST-compliant government boondoggle. Everyone used to write charset='iso-8859-1' when they should have written charset='windows-1252'. You can tell people that they're wrong, but that won't fix the websites that already exist. Instead, WHATWG specifies the former as an alias for the latter, and both are now "correct." You should expect that common practices gradually ossify into standards - that is how the web has always worked.

As for HTTPS in particular:

* The HTTPS Everywhere extension has demonstrated that, in practice, many websites serve the same content on HTTPS as they do on HTTP, and you really can just replace http:// with https:// in a lot of URLs.
* HSTS (RFC 6797) has established a precedent that web standards should go out of their way to support and enhance the case where HTTP redirects to HTTPS, even if this means overriding the user's explicit instruction to connect with HTTP.
* The entire .dev gTLD is preloaded into HSTS. If you buy one of those domains, you cannot serve HTTP at all (at least, to any of the usual browsers), because the browser will rewrite all URLs to HTTPS.
* All major browsers now display "Not secure" or similar warnings when visiting an HTTP site.
* Chromium and Chromium-based browsers have been doing the whole "opportunistically upgrade HTTP to HTTPS" thing for select users (plus anyone who manually turns it on) since 2023.[1]

Realistically, I think it's only a matter of time before WHATWG decides to write this behavior down and call it a "living standard."

Disclaimer: I work for Google, but not on any web-related technology such as Chrome. Opinions are my own.

[1]: https://blog.chromium.org/2023/08/towards-https-by-defaul...