[Comment removed by author]
Perhaps to prevent attacks where someone can be MitM’d, given some data marked as immutable (maybe even data that the actual site never would mark as immutable) and have that persist long after the fact.
Exactly. This response can only be trusted over HTTPS.
A browser trusting the response to really mean what it says might never ever check to see whether the resource has changed upstream. Because that’s its intended purpose. That would mean that the malicious content from a single MitM would get kept and used forever, even later when browsing from a secure network.
I remember reading somewhere that browsers were discussing only adding new features over HTTPS as an incentive to get sites to upgrade