In the backup proposal, you say that an HSTS-aware plugin should have created the https request in the first place. To do this it would need to know that the host (to which it's sending a request) has specified it.
Where does the plugin access which sites have specified HSTS (and whose expiration date has not yet been met?)
I suggest that this could be a browser-specific change, with no changes to the plug-in or NPAPI. For any http request coming from the plug-in, the browser could simulate a redirect without actually accessing the server. The plug-in would think that there was a real redirect, with no changes.