I added HSTS to the subdomain under the expectation that Chrome would upgrade the requests to HTTPS. But, it doesn't, it still blocks them as mixed content. Which is a bugger, because Chrome has now hidden the "allow mixed content" option.