The risk of injection attacks using HTTP is too great to allow a
site that allows both HTTP and HTTPS...