[im3w1l]

> We modified WebKit so that when an insecure third-party subresource load from a domain for which we block cookies (such as an invisible tracking pixel) had been upgraded to an authenticated connection because of dynamic HSTS, we ignore the HSTS upgrade request and just use the original URL.

Could someone explain this?

[aiCeivi9]

They just assume that 3rd party shouldn't ever have a need to send "http://" link only to redirect to "https://" and are willing to stop that feature from working even if it can lead to false positives and just break some sites.