Good. I guess we are more or less on the same page. My only qualm about permitting plain HTTP and giving a passive alert is that it allows an attacker to run arbitrary JS on your machine before you notice that it was loaded over plain HTTP and decide to disable it. However, this may be a very good transition step.