HTTPS Everywhere extension can be disabled by viewing a HTML page without user interaction. Tricking a user into pasting the chrome-extension URI in their address bar was too much user interaction for for a feasible attack. The fix for the extension corruption issue was reported in a separate report and by the time I reported the combination of the two issues, the fix was already out in Chrome Beta! Both issues are now fixed in the latest stable version of Chrome Beta. The ping attribute, if present, sends the URLs of the resources a notification/ping if the user follows the hyperlink.”]
Source: https://labs.detectify.com/2015/07/28/how-i-disabled-your-chrome-security-extensions/