Once the request has been sent to http://www.mydomain.com/cart/, if there is any sensitive data in the request, it’s too late. Force it to break! At least, it will give you an indication that there’s something wrong with your links. More details in previous answers:
[ … ] by the time the request reaches the server,
it’s too late. If there is a MITM, he has done his attack (or part of
it) before you got the request.The best you can do by then is to reply without any useful content. In
this case, a redirection (using 301 or 302 and the Location header)
could be appropriate. However, it may hide problems if the user (or
even you as a developer) ignores the warnings (in this case, the
browser will follow the redirection and retry the request almost
transparently).Therefore, I would simply suggest returning a 404 status:
http://yoursite/andhttps://yoursite/are effectively two distinct sites. There is no reason to expect a 1:1 mapping of all
resources from the URI spaces from one to the other (just in the same
way as you could have a completely different hierarchy for
ftp://yoursite/).- More importantly, this is a problem that should be treated upstream: the link that led your user to this resource using
http://
should be considered as broken. Don’t make it work automatically.
Having a 404 status for a resource that shouldn’t be there is fine. In
addition, returning an error message when there is an error is good:
it will force you (or at least remind you) as a developer that you
need to fix the page/form/link that led to this problem.
EDIT: (Example)
Let’s say you have http://example.com/, the non-secure section of your site that allows the user to browse items. They’re not logged in at that stage, so it’s fine to do it over plain HTTP.
Now, it’s cart/payment time. You want HTTPS. You send the user to https://example.com/cart/. If one of the links that sends the user to the cart part is using plain HTTP (i.e. http://example.com/cart/), it’s a development mistake. It just shouldn’t be there. Making the process break when you thought you were going to be sent to https://example.com/cart/ allows the developer to see it (and, once fixed, the user should never have the problem).
If it’s just about the point to the HTTPS section of your site (typically, an HTTP GET via a link somewhere), it’s not necessarily that big a risk.
Where automatic redirects become even more dangerous is when they hide bigger problems.
For example, you’re on https://example.com/cart/creditcarddetails and you’ve filled in some information that should really just stay over SSL. However, the developer has made a mistake and a plain http:// link is used in the form. In addition, the developer (a user/human after all) has clicked on “don’t show me this message again” in Firefox when it says “Warning: you’re going from a secure page to a non-secure page” (by the way, unfortunately, Firefox warns a posteriori: it has already made the insecure request by the time it shows the user that message). Now, that GET/POST request with sensitive data is sent first to that incorrect plain http:// link and the automatic rewrites tells the browser to try the request again over https://. It looks fine because, as far as the user is concerned, this all happened in a fraction of a second. However, it’s not: sensitive data was sent in clear.
Making the plain HTTP section of what should only be over HTTPS not do anything useful actually helps you see what’s wrong more clearly. Since the users should never end up there anyway if the links are correctly implemented, this isn’t really an issue for them.