rules with [^/@:] don't catch all traffic
Torproject.xml currently has the following
<rule from="^http://([^/:@]*)\.torproject\.org/" to="https://$1.torproject.org/"/>
but an attacker trying to get you to send (for example) cookies in the clear can just include a username part in (for example) an img src to coax the browser into making a cleartext connection:
<html>
<head>
<title>a test</title>
</head>
<body>
<!-- this first one gets loaded in the clear -->
<img src="http://www@www.torproject.org/images/icon-default.jpg" />
<!-- https-everywhere intercepts this one and sends it out over https -->
<img src="http://www.torproject.org/images/icon-default.jpg" />
</body>
</html>
this seems especially bad for sites with cookies to project which don't have the secure flag set properly.