Security of an initial redirection from http://example.com to https://example.com
Suppose that http://example.com/<foo> systematically redirects to https://example.com/<foo>. I enter http://example.com in my browser's URL bar, and I see a page load and the URL bar now displays exactly https://example.com/ (no Unicode hack, no whitespace hack, etc.). I verify that this is the case (most users won't, but assume that in this case the user did). Further assume that my browser isn't vulnerable to URL bar faking. Also assume that the SSL certificate is valid.
In this situation, can I trust that from now on my session is not vulnerable to any man-in-the-middle attack? Could a MITM on the initial HTTP connection have injected something — a cookie, a hidden frame, whatever that would compromise the subsequent apparent HTTPS session?
This is a subcase of How secure is redirecting user from http://normal.bank.com to https://secure.bank.com?, I'm after more details for this specific case.
