This includes a workaround for a silly bug.

Future work would be to ignore TLS errors if for rewritten URLs. (We
should not be strict with these because there could be bugs in the HTTPS
Everywhere ruleset. We should only be strict when the site itself
redirects to HTTPS, or when the user navigates to an HTTPS page.)