Can you please also include an HTTP response header that tells us the level of verification of the connection to the origin?
If CloudFlare wants to live dangerously with origin connections, fine... but give end users a way to drop the connection if it isn't secure, like our browsers would normally.
By the time you've gotten this response header, the request has already been sent over the connection that you don't trust, and at least part of the response.
I love your suggestion, with the caveat that browsers send a pre-flight interrogation request (similar to OPTIONS with CORS) to determine if the origin connection is secure before sending a legitimate request (containing potentially sensitive data).