Shoot, looks like I forgot to reply to this thread yesterday. It's been sitting in my email drafts...
Here's what I originally wrote:
"Thanks for the great analysis on this. Chris and myself have been talking about how best to deal with this issue and feel that we should add a disclaimer to note the side effects of using our extension. In my opinion, a user of our rules is expecting sites to redirect for them / be enabled by default. This is a tricky issue, and we are balancing between security, expected behavior, and convenience here. I'm open to being persuaded however, so a decision hasn't been set in stone yet.
It's also worth noting that this doesn't just apply to Facebook. Another example can be img.bi, which allows for embeds into other web pages. These would also be loaded over the .onion if our rules are loaded, fingerprinting as one of our users. Granted img.bi isn't as huge as Facebook in use, but it's another example of this behavior.
I'd like to try out that exclusion rule you found, but I'd need some time to hack away on this, and I don't see any spare time coming my way until at least next week
As for merging this into the Tor Browser, this would have to be done by the EFF since they are the maintainers of HTTPS Everywhere. If this happens, it would be ideal since we would have a much larger percentage of users, making the use of these rules a lot less unique. Yan () mentioned this on the https-everywhere list about a month ago, with the intention of making an "onion" toggle switch, but I haven't seen or heard anything relating to this. Anyone want to pester them for an update? :)"
As for privacy badger, it could stop the Facebook like buttons, trackers, etc. from being loaded into the page, at least as far as I understand how the extension works. (Noscript in the TBB could do the same thing too, in theory). But like juto said, it's not ideal since this makes your browser much more identifiable.