[Dylan16807]

> The page itself is served in both HTTP and HTTPS, can be visited in and outside the LAN.

So why can't you use one of these options:

1. Redirect all users to HTTPS, since you apparently already have a globally valid certificate.

2. Rewrite the tags to use HTTPS only when the page is loaded over HTTPS.

3. Set upgrade-insecure-requests only when the page is loaded over HTTPS.

[est]

Because the <img> <video> content is served on a LAN machine with custom TLD. HTTPS don't work with that.

However I can use reverse of your methods to redirect every HTTPS to HTTP.

[Dylan16807]

When you say "the page itself" can be visited outside the LAN, does that include the images and videos? If it doesn't, what's the use case?

Inside the LAN, when you visit the page over HTTPS the URL bar has a globally valid domain, right? So why do you even want the LAN machine to have a custom TLD, if that's going to be invisible to the user?

[est]

> does that include the images and videos? If it doesn't, what's the use case?

Certain pages of have media content that can only be viewed in LAN. However since the the HTTPS page is used in and outside lan, users tend to keep visiting the site with HTTPS enabled. After Chrome upgraded to v81, the images and videos failed to load. And there is little site admin can do to quickly restore the access.