>      The best prevention is not allowing redirects at all or only
>      allowing redirections that keep the hostname intact -- while an
>      option for much software, it isn't an option for web browsers.

Partially scratch that -- restricting to ‘keeping hostname intact’ is 
insufficient, because there could be a DNS record that points 'website 
via http' to 127.0.0.1, and hence a redirect from https://website --> 
http://website can change IP addresses from global Internet to local 
computer.

Best regards,
Maxime Devos.