From 0b32796034680341c2dc446c3af69d4138b06f3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=F0=9F=95=B7?= <3756473+zendive@users.noreply.github.com>
Date: Mon, 31 Jul 2023 18:03:12 +0300
Subject: [PATCH] update protection tips

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 08f4c7b..21cdcf5 100644
--- a/README.md
+++ b/README.md
@@ -138,6 +138,8 @@ pnpm zip # make extension.zip
 
 - How to protect your site from this extension:
   - Well, tests show that even `Content-Security-Policy: default-src 'none';` header won't prevent injection of extension content-scripts...
+  - Avoid assigning to `window` or `globalThis` any application object.
+    See also [accidental global variables and memory leaks](https://www.tutorialspoint.com/explain-in-detail-about-memory-leaks-in-javascript).
   - In general, you can incapacitate console functions:
   ```js
   for (const prop in console) {