This has been deliberated design choice, based on:
However I guess I could try to enforce injection checks when landing on HTTPS from a different protocol/port, maybe with an about:config preference switch off, and see how it goes...
- The availability of effective countermeasures against MITM attacks like the one you described (HSTS, ForceHTTPS, NoScript's built-in HTTPS options...)
- Known false positive issues which would be caused by the stricter policy you're descibing
However I guess I could try to enforce injection checks when landing on HTTPS from a different protocol/port, maybe with an about:config preference switch off, and see how it goes...