- # When enabling this setting, the corresponding setting on the
- # keep-web server must also be enabled.
+ # When enabling this setting, the -trust-all-content flag on the
+ # keep-web server must also be enabled. For more detail, see
+ # https://godoc.org/github.com/curoverse/arvados/services/keep-web
+ #
+ # This setting has no effect in the recommended configuration, where
+ # the host part of keep_web_url begins with %{uuid_or_pdh}: in this
+ # case XSS protection is provided by browsers' same-origin policy.
+ #
+ # The default setting (false) is appropriate for a multi-user site.