Doesn't respect CSP policies
Assume a site pulls scripts from a CDN, like cdnjs.cloudflare.com using the http protocol, and has a script-src of "http://cdnjs.cloudflare.com" set in the Content-Security-Policy header.
If a user with HTTPS Everywhere installed were to browse on the site, it would try to fetch the scripts using https, which is forbidden by the CSP header, thus breaking the site.
Trac:
Username: Erom2