While investigating [this bug report](https://mail1.eff.org/pipermail/https-everywhere-rules/2012-November/001397.html) I realised that HTTPS Everywhere will actually flag cookies as secure from within HTTP-only pages/origins. Needless to say, this can interact very badly with *.example.com target host rules! This is something we [explicitly avoid](https://gitweb.torproject.org/https-everywhere.git/blob/3.0.4:/src/chrome/content/code/HTTPS.js#l214) in the [handleSecureCookies() path](https://gitweb.torproject.org/https-everywhere.git/blob/3.0.4:/src/components/https-everywhere.js#l442) that deals with cookies set in HTTP headers. But we have [another path](https://gitweb.torproject.org/https-everywhere.git/blob/3.0.4:/src/components/https-everywhere.js#l448) which I think was added to fix legacy/trac#3766 which does not perform the same check.