Thank you for the feedback! We're glad you liked it :)
We'll be releasing this polished after the competition ends.
I actually didn't check it out on HTTPS pages in our (incredibly abbreviated) testing period. Alex found a show-stopper bug about an hour before the competition ended and my focus was on getting that fixed.
The biggest gap is actually that it doesn't all run in the context of the current user's session, locally. Doing that would get us closer to where we want to be without trying to pass user session data to the server to allow them to reach "authenticated" sites.
And you're right about visual indication. I had that every time, but only because I was watching for requests in the browser console. I started that process because I didn't get any visual feedback and didn't think to address the problem in other ways.