As reported here: https://mail1.eff.org/pipermail/https-everywhere/2010-November/000475.html We now need to work out whether there is a subset of cookies that we can secure to prevent account hijacking while still allowing apps to function :(