There is current active work to experiment with a https only mode (bug 1613063), which works by upgrading insecure requests where possible (bug 1620242).

These changes operate at a low layer and aren't visible to the UI, however: When I type example.com, autocomplete still suggests http://example.com/, and the urlbar clearly shows the attempt to load http://example.com when I press Enter (set browser.urlbar.trimURLs=false via about:config to see the scheme). The navigation will eventually end up at https, but this is not obvious to the user.

I'd like to have a preference to default to https instead of http. Whether the load is going to succeed or not is not a concern; that can be handled as part of bug 1613063.

For the past five years I have used this behavior with patches for Chromium and extensions for Firefox and from a usability perspective this wasn't too bad. The usability actually went down when I had to hook up at the request level (and thus not know whether the user specified a scheme or not) instead of the UI level when support for legacy add-ons were dropped in Firefox 57.

(In reply to Rob Wu [:robwu] from comment #0)

I'd like to have a preference to default to https instead of http. Whether the load is going to succeed or not is not a concern; that can be handled as part of bug 1613063.

Do you mean a user-facing preference or just a way to tell the urlbar to default to https from another part of Firefox?

https://searchfox.org/mozilla-central/rev/9120151ddb35f2d4c37bfe613a54a4f10a9a3dc5/docshell/base/URIFixup.jsm#698 should be set to "https" if a new pref called browser.urlbar.default-to-https was manually set to true on about:config.
The default-to-https behavior could be tested by typing neverssl.com into the address bar: Then, the first suggestion is "https://neverssl.com -- Visit". If you press enter, https://neverssl.com is opened. If you want http, then you have to type http://neverssl.com. Mozilla Servo has this behavior already.

This would be the first of two steps.
As browser.urlbar.trimURLs is true, you would type in http://neverssl.com, but "neverssl.com" is shown after pressing enter. If you then edit the path and press enter, you would try to open "neverssl.com/path", hence it would be https://neverssl.com/path. That's a temporary unsoundness, but also self-bullying into https.
("hstspreload.org" would open https://hstspreload.org/ and editing the path does not change the protocol.)

This unsoundness would be fixed by bug 1067293: The protocol of http://neverssl.com/ would not be hidden by browser.urlbar.trimURLs if browser.urlbar.default-to-https is true. You could edit http://neverssl.com/ to http://neverssl.com/path or hstspreload.org to hstspreload.org/path.
bug 1067293 should also imply security.insecure_connection_text.enabled if browser.urlbar.default-to-https is true. (Highlight danger instead of security. That's why the EV bar was removed. The padlock is enough for https.)

P3 for now, it sounds like a good starting point for a soft release, there's many code points and tests to adapt before it could be flipped for everyone.

Hi there Frederick, do you think this preference is necessary or if it'll be handled by the work you're doing?

I think this one can be duplicated against bug 1812192

Makes sense as in the WIP patch, it looks like you're creating dom.security.https_first_schemeless.