class ActionDispatch::ContentSecurityPolicy

policy.upgrade_insecure_requests false

Pass +false+ to disable it:

policy.upgrade_insecure_requests

Specify whether user agents should treat any assets over HTTP as HTTPS:

def upgrade_insecure_requests(enabled = true)
  if enabled
    @directives["upgrade-insecure-requests"] = true
  else
    @directives.delete("upgrade-insecure-requests")
  end
end