Right now we fail background attributionsrc requests whose first URL is insecure, but if the first URL is secure we follow it and merely drop registrations from insecure hops. The proposal to fix this is to taint a redirect chain as soon as an insecure redirect is detected and disallow ARA registration from that point onwards (when basically our transitive trust assumptions go out the window).
This proposal will affect you if:
1. You register ARA with an insecure origin in the middle of a redirect chain
2. You register ARA with a secure origin, but a previous URL in the redirect chain was insecure
Please comment on the linked issue with feedback.