Open Radar

 
Summary:
When pasting a part of a URL replacing an existing part into Safari's omnibar of a page accessed via https the protocol is automatically degraded to http resulting in an unencrypted connection made. 


Steps to Reproduce:
Access a Website via https with one or multiple path components.
For example: https://www.google.com/intl/en/policies/
Make sure you're using httpS

Copy the string “at” (without quotes) to your pasteboard. Klick into the terribly omnibar in Safari 6. Doubleclick the URL part en and paste the string at from your pasteboard. Hit return to load the manually corrected URL.

The next request is sent over http without SSL instead of https.

Expected Results:
The protocol should NEVER change just by editing a non-protocol part of any URL by hand. It should also NOT automatically downgrade from https to http just by pasting text that doesn't explicitly contain http://



Actual Results:
Safari 6 silently degrades https to http without any reason leaking all GET parameters by not using the expected encryption.


Regression:
When selecting a part in the URL then typing over does not degrade protocol. This only happens when PASTING text.
Tested only under OS X 10.8 Mountain Lion 12A269. Haven't tried Safari 6 under 10.7.x Kion.

Notes:
This is independent of the certificate used by the site. No matter if self-signed, standard SSL or even SSL with extended validation.

Original discovery of this behavior by Andreas Fuchs, I'm just filing the appropriate radar.