[HTTPS-Everywhere] Microsoft.com/security/ exclusion needed

[Chris Palmer]

> I wonder if this was intended as some kind of anti-clickjacking measure or
> as a defense against cookie theft via mixed content? In the former case it
> seems broken; in the latter case perhaps not.

Defeating clickjacking is quite hard indeed, and most such mechanisms are
broken. I also doubt it's intended as any kind of cookie theft defense ---
redirecting to unsafe transport is no way to stop cookie theft. :)

I can't imagine what they are thinking. We should lobby them to change it so
that HTTPS works.