diff --git a/.tridactylrc b/.tridactylrc index b9924926..c914941c 100644 --- a/.tridactylrc +++ b/.tridactylrc @@ -28,7 +28,7 @@ " " May require the latest beta builds. " " " Uncomment the lines you want to keep then move this file to -" " $XDG_CONFIG_DIR/tridactyl/tridactylrc (that's +" " $XDG_CONFIG_HOME/tridactyl/tridactylrc (that's " " ~/.config/tridactyl/tridactylrc to mere mortals) or ~/.tridactylrc and " " install the native messenger (:installnative in Tridactyl). Run :source to " " get it in the browser, or just restart. @@ -118,29 +118,27 @@ " command fixamo_quiet jsb tri.excmds.setpref("privacy.resistFingerprinting.block_mozAddonManager", "true").then(tri.excmds.setpref("extensions.webextensions.restrictedDomains", '""')) " command fixamo js tri.excmds.setpref("privacy.resistFingerprinting.block_mozAddonManager", "true").then(tri.excmds.setpref("extensions.webextensions.restrictedDomains", '""').then(tri.excmds.fillcmdline_tmp(3000, "Permissions added to user.js. Please restart Firefox to make them take affect."))) " -" " Make Tridactyl work on more sites at the expense of some security. For -" " details, read the comment at the top of this file. +" " Make Tridactyl work on more sites at the expense of some security. +" " For details, read the comment at the top of this file. " fixamo_quiet " -" " Equivalent to `set csp clobber` before it was removed. This weakens your -" " defences against cross-site-scripting attacks and other types of -" " code-injection by reducing the strictness of Content Security Policy on -" " every site in a couple of ways. -" " +" " The following modification allows Tridactyl to function on more pages, e.g. raw GitHub pages. " " You may not wish to run this. Mozilla strongly feels that you shouldn't. +" " Read https://wiki.mozilla.org/Security/CSP#Goals for more information. " " -" " It allows Tridactyl to function on more pages, e.g. raw GitHub pages. +" " Equivalent to `set csp clobber` before it was removed. +" " This weakens your defences against cross-site-scripting attacks +" " and other types of code-injection by reducing the strictness +" " of Content Security Policy on all sites in a couple of ways. " " " " We remove the sandbox directive " " https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox -" " which allows our iframe to run (and anyone else's) on any website. +" " which allows our iframe (and anyone else's) to run on any website. " " " " We weaken the style-src directive " " https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src -" " to allow us to theme our elements. This exposes you to 'cross site styling' -" " attacks. -" " -" " Read https://wiki.mozilla.org/Security/CSP#Goals for more information. +" " to allow us to theme our elements. +" " This exposes you to 'cross site styling' attacks " jsb browser.webRequest.onHeadersReceived.addListener(tri.request.clobberCSP,{urls:[""],types:["main_frame"]},["blocking","responseHeaders"]) " " " Make quickmarks for the sane Tridactyl issue view