I think this topic was discussed years ago, but I do get negativ security points via Mozillas observatory when delivering first party tracking cookies without the secure flag.

I think it should be possible to enable that plag on a per website basis. Most websites I setup are SSL only, a request to non encrypted pages gets redirected to ssl and that ist the recommended canonical url for every page. So I don't need any sharing of session tracking cookies between http and https.