"To make Tridactyl work on addons.mozilla.org and some other Mozilla domains, you need to open about:config, run fixamo or add a new boolean privacy.resistFingerprinting.block_mozAddonManager with the value true, and remove the above domains from extensions.webextensions.restrictedDomains."
in about:config via user.js so that Tridactyl (and other extensions!) can be used on addons.mozilla.org and other sites."
You can find these messages in src/excmds.ts at commit 92e1b005c47995e3d24f61a7d4c3935df8437f1a
The only way this hurts you as a user is if all of the following occurs:
1. You manually install Tridactyl
2. You manually install our native messenger
3. You manually fun a command called `fixamo` or you manually find and install our exemplar RC file that explicitly says at the top that you should read it because it does things you might not like; and then you don't read or edit it
4. You also manually install a malicious addon
5. That malicious addon doesn't have permissions for <all_urls> (otherwise it can steal your banking credentials without tridactyl's help) but does have permission for accounts.firefox.org
6. That addon can then steal your firefox account credentials and use them to e.g. mess with your synced settings and e.g. download your passwords database (if you don't have a master password set).
My view is that you're pretty much fucked if you install a malicious addon with <all_urls> anyway (and many addons request that permission), so this slight extra capability you get if you successfully phish someone in this pool of <1000 people isn't a big deal.
