Performing a Review

Reviewer Intro Tour: ask your guide to select an add-on for you to review. Don't submit your first review without their pre-approval!

Add-on reviewers have a big responsibility. We need to ensure add-ons are safe to use, good quality, and clearly presented to our users. We also need to make sure developers get quick, clear, and actionable reviews.

AMO is designed so that popular and well-reviewed add-ons bubble to the top search rankings. The full and preliminary review levels also create two layers that allow us to list add-ons that are not quite ready for general consumption. Since we have good filtering mechanisms on AMO, our general policy is to only reject when strictly necessary. Rejection is necessary when an add-on has security issues, doesn't meet our content policies, or a few other cases which are spelled out in this guide. If an add-on doesn't meet the criteria for rejection, it should at least get preliminary approval.

Policies and actions

The rest of this page explains what our policies and recommended actions are for common add-on issues. Add-ons must be reviewed completely, and all issues written down as they are found. Once the review is complete, the sum of all noted issues is used to determine what the review resolution should be, and all issues should be included in the notes sent to developers.

Step 1: Review Add-on Metadata

Before getting started, here's a very important legal note: reviews must not involve checking for copyright or trademark violations. You should not take any action on an add-on because you suspect it copies code from others without permission or may otherwise infringe somebody else's copyright or trademark. The DMCA is a law that gives us legal protection from being held responsible for copyright infringement by users who post content to our site, but only if our conduct qualifies us for such protection and we follow exactly the procedures laid out in the DMCA. Determining copyright or trademark infringement is complicated and you will not have enough information to make those determinations.

If you have any concerns about the legality or legitimacy of an add-on, please email amo-editors AT mozilla DOT org.

Policies and Actions

Add-on Relevance

Add-ons must not be rejected because a reviewer doesn't find them useful. We let AMO users make that call, and add-ons that aren't very useful won't gain much usage and have low search rankings.

In some cases, however, reviewers should deny full review to add-ons due to their usefulness. Add-ons that commonly fall into this category are:

• Add-ons that help access very specific webpages. For example, an add-on that makes it easier to use an internal business site or a university library.
• Add-ons targeted to a limited geographical area. For example, an add-on for a local city newspaper or radio station.
• Add-ons that don't do more than link to websites through buttons or menu items.
• YouTube (or other) video downloaders. We already have too many add-ons of this kind, with little to no distinction between them. Unless the add-on provides something really innovative to video downloading, it should not get full approval.

When in doubt, don't apply this policy.

Step 2: Automatic validation

We have a extensive set of tests that identify common bad practices and possible security problems with add-on code. Reviewers must run the code validator and inspect the results when performing a review. Each Add-on History entry has a validation link, and you'll want to validate the latest one.

Clicking on the link will take you to the validation page, where the automatic code validator will run for that version of the add-on and then the results will be displayed. We recommend opening this link in a new tab.

If the validator shows a validation error and no results, it's possible that reloading the validation page will fix the problem. If the problem persists contact the review team on the #amo-editors IRC channel or pick a different add-on to review.

Policies and actions

There are many other validation flags of varying importance. If you're unsure about which action to take, please ask on the mailing list.

Step 3: Code Review

Every line of add-on code must be reviewed. The code validator can't detect all possible security or code quality issues, so we must always be on the lookout for bad code. For versions in the Preliminary Review queue, the code review should just ensure the add-on's safety.

All review pages have a View Contents link that take you to the code browser page. Pending updates also have a Compare with Public Version link next to it, which will show you the code with the changed sections highlighted.

For updates, the compare link should be used. However, it can sometimes fail to work for very large add-ons. In that case, you can either review the full source code, or download the new and public files to your system and compare them using tools like xpidiff.sh or WinMerge.

Validation results are integrated into the code viewer, so you can see validation warnings in context. For Add-ons SDK extensions, known library files are shaded in grey, and their origin is stated in the popup that appears when hovering over them.

Policies and Actions

See the security code review page for more detail on the above security rejection reasons.

In general you should apply your judgement and try to identify code that may appear suspicious or out of place. Try to understand what everything does and how it all fits together.

By the end of the code review, you'll may have a series of notes that will require the add-on to be significantly rewritten. If you think that's the case, it's OK to resolve the review without proceeding to the next step. If the add-on needs work but is safe to use, it can be given a preliminary review approval without performing any testing. If the add-on needs work and you are not sure if it is safe to use, then leave the add-on for someone else to review, request a admin review, or ask for help in the mailing list.

Step 4: Feature Review

The last step in a review is to install and test the add-on.

Testing setup

These are a few settings and tools you should use or consider using when setting up your add-on testing environment:

• Always use a separate profile for testing, never your main profile. See Setting up an extension development environment.
• Ideally you should perform your tests in a virtual machine. It is always useful in case you need to test in multiple platforms. VirtualBox is free and supports most platforms.
• Enable full Error Console reporting, as described in the Development Preferences section.
• These add-ons help you inspect add-on behavior and find possible solutions for problems:
  • DOM Inspector. Analyze XUL and HTML layout, CSS and even JS objects.
  • Console² for detailed Console logging.
  • Tamper Data or Live HTTP Headers for HTTP traffic analysis.
  • Leak Monitor to detect some types of memory leak. See Leak Gauge for a more general solution.
  • Extension Test to detect loose variables and DOM IDs, prototype extension, dangerous category registration, and other difficult to spot problems. Also automatically sets the required dom.report_all_js_exceptions and javascript.options.showInConsole preferences.
• To test Fennec add-ons, you'll need to install Fennec. It is preferred that you test in a supported mobile device. If a Fennec nomination has been waiting for long, it's OK to test with the desktop XULRunner application.
• For online malware scanning, you can use Virus Total, Kaspersky online scan and Jotti online scan. AMO performs virus checks, and binary add-ons should be admin-reviewed anyway, but if you suspect anything, those are good tools to use.

Installing and testing

Add-ons are normally cross-platform, so there will only be a single file to review, in the same section where the validator and source links are located. If the add-on is offered for a limited number of platforms, there will be individual links for each one of them. In this case all supported platforms should be tested.

Regarding applications, you don't need to test the add-on for all applications it supports. If the add-on supports Firefox and others, it's OK to only test on Firefox. If, however, an add-on update introduces Fennec or other application support, the add-on should be tested on it. The applications we support for reviews are listed on this page.

Policies and actions

Policy	Action	Notes
Security violations	Reject	Adding HTTP content to secure pages. Visit HTTPS sites like addons.mozilla.org and make sure the identity button is unchanged. This is specially important for add-ons that insert scripts into sites.
No Surprises violation	Preliminary Review	Changing homepage, default search provider, including unexpected ads or content changes without explicit user opt-in.
Privacy violations	Preliminary Review	Incorrect or insufficient privacy policies, not respecting Private Mode.
Showing a modal dialog at startup	Preliminary Review	Many add-ons open dialogs or new tabs at startup, mostly offering information on getting started. This is useful, but it shouldn't block the user from using the browser. Opening modal (blocking) dialogs at startup is not allowed. Non-modal dialogs, separate windows or new tabs are allowed.
Errors in the Error Console	Preliminary Review
Add-on is very hard to use without instructions	Preliminary Review	If the add-on is difficult to use, there should be instructions included in the add-on descriptions, or in a startup page or window.
Toolbar buttons are not customizable	Preliminary Review
Memory leaks from content or chrome	Preliminary Review	If an add-on touches the content in any way, we need to test the add-on on a page where it works, close the page, and then look in about:memory?verbose. Remaining compartments related to the page indicate a memory leak. After disabling the add-on (and minimizing memory usage) the add-on should no longer use any memory. If it does, it leaks to chrome. More details here and here.
Affiliate linking	Preliminary Review	See details below.
Requires third party software or paid registration	Admin Review	This excludes add-ons that require other add-ons to function, like Firebug extensions.
Inserts ads into content	Admin Review	The rules in these cases are complex. They need to be clearly labeled as coming from the add-on (otherwise Prelim). They can't remove or replace existing ads (otherwise Reject). They need to follow No Surprises (otherwise Prelim). And there are also security concerns (Reject) and privacy concerns (Prelim).

Other tests to perform:

• Visit a very simple website like example.org and inspect its DOM, looking for any changes. Again, this is particularly important for extensions that insert scripts or make DOM changes.
• Open the add-on's preferences window, from the Add-ons Manager and elsewhere, and verify that preference changes apply properly. Make sure the window fits all of its contents (a common problem in Mac OS).
• Test all add-on features, within reason. If there too many, focus on the main features.
• Remove all added toolbar buttons, disable all added toolbars, and restart the browser. Make sure that buttons and toolbars are all removable and do not reappear on restart. Make sure that missing toolbar buttons to not cause errors to appear in the Error Console.
• Open the Customize Toolbar dialog and make sure that all buttons have appropriate icons and label text.
• Affiliate linking. Some add-ons add affiliate codes to Amazon links (or similar) in order to make money. At the moment we allow this as long as (1) the add-on follows the No Surprises policy, (2) the feature doesn't replace or remove any existing affiliate codes, (3) the affiliate codes aren't inserted in the merchant website's links (inserting Amazon affiliate codes in Amazon.com pages).

Step 5: Resolution

Choose the appropriate resolution and include all of your notes. Make sure you use a corteous and professional tone, and be as helpful as you can when pointing out problems or areas for improvement. If you are pushing the add-on public, thank the author for the time and effort they have put in. Once you're ready, click the Process Action button.

The submission of the review form can fail for a number of reasons, so it is highly recommended that you copy of your notes to the clipboard before you click on the submit button. You can also use add-ons like Textarea Cache for this.

Editor tour: remember to ask the admin editor to review your response before sending it.

Next: The Mailing List