Both. If you can stop a https redirect by rewriting the user agent header, it can be used to track the Google searches for example. HSTS would help if the browser did connect to the https website recently, but it looks like a security vulnerability to me.

I just realized after writing this comment that if you can rewrite http headers, you can also stop the redirect so perhaps it doesn't matter.