If the client gets an HTTP 303 See Also
code, it will unconditionally submit a GET request.
If the client gets an HTTP 302 Found
, it should submit the same type of request (POST) on the redirected URL, with user confirmation.
This may not work properly on older browsers which tend to treat 302 Found
as if it were 303 See Also
.
Anyway, having a form on a non-secure page submit data on a secure page is a bad idea.
The form page may be corrupted and spied in any way you can imagine, and the user cannot be sure that the data he submits is the data he sees.
Example: Your form has a "MainData" field. An intermediate phishing site can write a JavaScript to spy entered data, put a hidden "MainData" field containing whatever it wishes and show a dummy "FakeIgnoreData" field to the user.
Solution: Put form page and submission page on the same HTTPS server.