HTTPS security compromised by insecure script download
The attacker (a middleman) can just append malicious code to this script to, for instance, rig the login box and leak the password.
//(Also note: browsers only display "secure site" icons only if all elements of a page are downloaded securely.
//Images from media-cdn.bitbucket.org and www.gravatar.com are download insecurely; it's considered a good security practice to download all elements through secured connections as well, though I can't see an obvious attack scenario here. I do realize that Gravatar can't be secured easily.)