diff --git a/dom/security/test/https-first/file_redirect_error.sjs b/dom/security/test/https-first/file_redirect_error.sjs
new file mode 100644
index 000000000000..197ae667234f
--- /dev/null
+++ b/dom/security/test/https-first/file_redirect_error.sjs
@@ -0,0 +1,128 @@
+//https://bugzilla.mozilla.org/show_bug.cgi?id=1706351
+
+// Step 1. Send request with redirect queryString (eg. file_redirect.sjs?302)
+// Step 2. Server responds with corresponding redirect code to http://example.com/../file_redirect.sjs?check
+// Step 3. Response from ?check indicates whether the redirected request was secure or not.
+
+const RESPONSE_ERROR = "unexpected-query";
+
+// An onload postmessage to window opener
+const RESPONSE_SECURE = `
+  <html>
+  <body>
+  send onload message...
+  <script type="application/javascript">
+    window.opener.postMessage({result: 'secure'}, '*');
+  </script>
+  </body>
+  </html>`;
+
+const RESPONSE_INSECURE = `
+  <html>
+  <body>
+  send onload message...
+  <script type="application/javascript">
+    window.opener.postMessage({result: 'insecure'}, '*');
+  </script>
+  </body>
+  </html>`;
+
+function redirectMeta(targetUri) {
+  return `<html>
+<head>
+  <meta http-equiv="refresh" content="0; url='${targetUri}'">
+</head>
+<body>
+  META REDIRECT
+</body>
+</html>`;
+}
+
+function redirectJs(targetUri) {
+  return `<html>
+<body>
+  JS REDIRECT
+  <script>
+    let url= "${targetUri}";
+    window.location = url;
+  </script>
+</body>
+</html>`;
+}
+
+const CROSS_ORIGIN_REDIRECT =
+  "https://example.net/tests/dom/security/test/https-first/file_redirect_error.sjs?check";
+const SAME_ORIGIN_REDIRECT =
+  "https://example.com/tests/dom/security/test/https-first/file_redirect_error.sjs?check";
+const DOWNGRADE_SECURE =
+  // eslint-disable-next-line @microsoft/sdl/no-insecure-url
+  "http://example.com/tests/dom/security/test/https-first/file_redirect_error.sjs?downgrade-302";
+const START_TEST =
+  "https://example.com/tests/dom/security/test/https-first/file_redirect_error.sjs?cross-302";
+
+function handleRequest(request, response) {
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  const secure = request.scheme == "https";
+
+  const query = request.queryString.split("-");
+  // allow specifying different target uris
+  let targetUri = null;
+  switch (query[0]) {
+    case "cross":
+      if (secure) {
+        targetUri = CROSS_ORIGIN_REDIRECT;
+      }
+      break;
+    case "same":
+      if (secure) {
+        targetUri = SAME_ORIGIN_REDIRECT;
+      }
+      break;
+    case "downgrade":
+      if (secure) {
+        targetUri = DOWNGRADE_SECURE;
+      } else {
+        targetUri = START_TEST;
+      }
+      dump("request:" + request.scheme + "\n");
+      dump("redirect:" + targetUri + "\n");
+      break;
+    case "check":
+      break;
+    default:
+      // This should not happen
+      response.setStatusLine(request.httpVersion, 500, "OK");
+      response.write(RESPONSE_ERROR);
+      return;
+  }
+  let method = query[1];
+
+  // send redirect if requested
+  if (targetUri != null && method == "302") {
+    response.setStatusLine(request.httpVersion, 302, "Found");
+    response.setHeader("Location", targetUri, false);
+    return;
+  }
+  if (targetUri != null && method == "js") {
+    response.setStatusLine(request.httpVersion, 200, "OK");
+    response.write(redirectJs(targetUri));
+    return;
+  }
+  if (targetUri != null && method == "meta") {
+    response.setStatusLine(request.httpVersion, 200, "OK");
+    response.write(redirectMeta(targetUri));
+    return;
+  }
+
+  // Check if scheme is http:// or https://
+  if (query == "check") {
+    response.setStatusLine(request.httpVersion, 400, "Error");
+    response.write(secure ? RESPONSE_SECURE : RESPONSE_INSECURE);
+    return;
+  }
+
+  // This should not happen
+  response.setStatusLine(request.httpVersion, 500, "OK");
+  response.write(RESPONSE_ERROR);
+}
diff --git a/dom/security/test/https-first/mochitest.toml b/dom/security/test/https-first/mochitest.toml
index d091ab1e115e..638ccc0f82ba 100644
--- a/dom/security/test/https-first/mochitest.toml
+++ b/dom/security/test/https-first/mochitest.toml
@@ -40,6 +40,9 @@ support-files = ["file_multiple_redirection.sjs"]
 ["test_redirect_downgrade.html"]
 support-files = ["file_redirect_downgrade.sjs"]
 
+["test_redirect_http_error.html"]
+support-files = ["file_redirect_error.sjs"]
+
 ["test_redirect_upgrade.html"]
 scheme = "https"
 support-files = ["file_redirect.sjs"]
diff --git a/dom/security/test/https-first/test_multiple_redirection.html b/dom/security/test/https-first/test_multiple_redirection.html
index a1b714543c0b..a6c3aaa2c2d2 100644
--- a/dom/security/test/https-first/test_multiple_redirection.html
+++ b/dom/security/test/https-first/test_multiple_redirection.html
@@ -48,6 +48,13 @@ Test multiple redirects using https-first and ensure the entire redirect chain i
     //         to http://example.com/../verify. Since the last redirect is http, and we
     //         had a downgrade in the redirect chain. We load the http version
     {name: "test downgrade HTTP", result: "scheme-http", query: "test5" },
+    // test 5: https-first upgrades http://example.com/test6 -> https://example.com/test6
+    //         that's redirect to https://example.com/.../downgrade which then redirects
+    //         https-first upgrades http://example.com/.../downgrade -> https://example.com/.../downgrade
+    //         that's redirect to http://example.com/.../downgrade which which is detected as http downgrade
+    //         to http://example.net/../verify. Since the last redirect is http, and we
+    //         had a downgrade in the redirect chain. We load the http version
+    {name: "test downgrade HTTP", result: "scheme-http", query: "test5" },
   ]
   let currentTest = 0;
   let testWin;
diff --git a/dom/security/test/https-first/test_redirect_http_error.html b/dom/security/test/https-first/test_redirect_http_error.html
new file mode 100644
index 000000000000..199176696e89
--- /dev/null
+++ b/dom/security/test/https-first/test_redirect_http_error.html
@@ -0,0 +1,104 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1904238
+Test error pages after redirects causing us to downgrade.
+-->
+
+<head>
+  <title>HTTPS-First-Mode - Test for multiple redirections</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+
+<body>
+
+  <script class="testbody" type="text/javascript">
+  "use strict";
+
+  SimpleTest.waitForExplicitFinish();
+
+  // Load an http:// window which gets upgraded to https://, redirected to a different
+  // https page. The other https page contains an error. Make sure that we don't
+  // downgrade on that error.
+  
+  const testCase = [
+    // The following three test cases are the same execpt the redirect method.
+    // They have the following schema:
+    //  1. The test case gets initiated by loading a page with schema http:
+    //     http://example.com/tests/dom/security/test/https-first/file_redirect_error.sjs?cross-302
+    //  2. The load gets upgraded via https-first and therefor sets the
+    //     `HTTPS_ONLY_UPGRADED_HTTPS_FIRST`-flag on the nsILoadInfo
+    //     from the channel. We load the https variant of the url:
+    //     https://example.com/tests/dom/security/test/https-first/file_redirect_error.sjs?cross-302
+    //  3. The server responds with a redirect with a different host, path and
+    //     still the https-scheme, indicating that following errors are not a
+    //     result of the https-first upgrade. When progressing the redirect,
+    //     we clear the `HTTPS_ONLY_UPGRADED_HTTPS_FIRST`-flag. We continue
+    //     with loading the resulting URL:
+    //     https://example.net/tests/dom/security/test/https-first/file_redirect_error.sjs?verify
+    //  4. We display the error returned by the server and not downgrade to
+    //     http-version.
+    "cross-302",
+    "cross-js",
+    "cross-meta",
+    // The following three test cases are the same as above, however in step 3
+    // the returned URL differs only in the path, not the host. Since the
+    // we haven't encountered a http-downgrade.
+    "same-302",
+    "same-js",
+    "same-meta",
+    // Makes sure cross origin redirects don't inherit the exception flag.
+    // This test case is the same as the first one, except before reaching
+    // the url in step 1 we encounter a http downgrade.
+    //  1. The test gets initiated with:
+    //     http://example.com/tests/dom/security/test/https-first/file_redirect_error.sjs?downgrade
+    //  2. Upgraded via https-first:
+    //     https://example.com/tests/dom/security/test/https-first/file_redirect_error.sjs?downgrade
+    //  3. The server responds with an redirect to the http version of the
+    //     and therefore explicitly downgrades the connection. We load the
+    //     http version we exempt example.com from loading securely.
+    //     http://example.com/tests/dom/security/test/https-first/file_redirect_error.sjs?downgrade
+    //  4. The server responds with the test case URL from test 1 "cross-302"
+    "downgrade-302",
+  ];
+  let currentTest = 0;
+  let testWin;
+  window.addEventListener("message", receiveMessage);
+
+  // receive message from loaded site verifying the scheme of
+  // the loaded document.
+  async function receiveMessage(event) {
+
+    let test = testCase[currentTest];
+      is(event.data.result,
+       "secure",
+       "expected https load in test " + test
+    );
+    testWin.close();
+    await SpecialPowers.removePermission(
+      "https-only-load-insecure",
+      "http://example.com"
+    );
+    if (++currentTest < testCase.length) {
+      startTest();
+      return;
+    }
+    window.removeEventListener("message", receiveMessage);
+    SimpleTest.finish();
+  }
+
+  async function startTest() {
+    const test = testCase[currentTest];
+    // eslint-disable-next-line @microsoft/sdl/no-insecure-url
+    let uri = `http://example.com/tests/dom/security/test/https-first/file_redirect_error.sjs?${test}`;
+    testWin = window.open(uri);
+  }
+
+  // Set preference and start test
+  SpecialPowers.pushPrefEnv({ set: [
+    ["dom.security.https_first", true],
+  ]}, startTest);
+  </script>
+</body>
+</html>
diff --git a/netwerk/protocol/http/HttpBaseChannel.cpp b/netwerk/protocol/http/HttpBaseChannel.cpp
index 5781955a84a9..ab265ee100ce 100644
--- a/netwerk/protocol/http/HttpBaseChannel.cpp
+++ b/netwerk/protocol/http/HttpBaseChannel.cpp
@@ -4437,6 +4437,11 @@ already_AddRefed<nsILoadInfo> HttpBaseChannel::CloneLoadInfoForRedirect(
       newLoadInfo->SetLoadTriggeredFromExternal(false);
     }
     newLoadInfo->ResetSandboxedNullPrincipalID();
+
+    // Reset HTTPS-first and -only status on http redirect. To not unexpectedly
+    // downgrade requests that weren't upgraded via HTTPS-First (Bug 1904238).
+    Unused << newLoadInfo->SetHttpsOnlyStatus(
+        nsILoadInfo::HTTPS_ONLY_UNINITIALIZED);
   }
 
   newLoadInfo->AppendRedirectHistoryEntry(this, isInternalRedirect);