FirefoxOS Add-on Review guide
Accessing the Review Tools
- Device dependant
- Desktop go to https://marketplace.firefox.com/content/ on Desktop
- FirefoxOS open Marketplace app - if you're logged in choose 'More'|'Settings|'Develop Firefox OS Add-ons'
- Press FirefoxOS Add-ons button
- Press Review Add-ons button
- Default is pending queue
- sort is newest first (! - its the wrong order currently)
- Add-on name or 'review this add-on' links go to review page
- You need a 2.5 build of FirefoxOS - the one released on branch date around 2 Nov, or as near as you can get (there were last minute features landing)
- Enable reviewer certificates in the settings menu, like with apps.
- You shouldn't need to set any other preferences or enable developer mode
- Download the zip file for the latest version (no in-site file viewer)
- Inspect the manifest to see what pages or apps are affected
- obfuscated code - if its trivial and you can de-obfuscate then fine; if its large or still incomprehensible then we must request source code and obfuscation instructions to match output zip. See security guide obfuscation section for more details.
- note any syntax errors or invalid properties. Common issues are in canned responses
- Consider if pattern is appropriate, e.g. matching all urls when it only affects one app or site
- inspect the content scripts
- read every line and establish what the scripts is doing/changing/inserting
- if there are further regex or filtering of affected urls inside, again check for appropriateness.
- url.indexOf('blah')!=-1 is normally bad
- check compliance with the review criteria - especially the security section.
- generally consider quality of the add-on - these will be the first few add-ons that users are able to install. We aren't setting a quality bar, but we can be picky about things that need fixing.
- once code review is done install on device
- see device setup
- see Login/Navigating (no 'reviewing' shortcut queue)
- if the add-on just affects websites
- opening an affected site in the browser app, or the hosted webapp (e.g. Twitter) is enough to test.
- if the add-on affects system
- we must check disabling:
- toggle off in settings|Add-ons
- We don't (currently) require an 100% removal after just disable (the user is warned they should reboot) but the device should still be usable. Either the disable should work cleanly and all add-on changes reverted; or the add-on functionality should completely work until reboot.
- and uninstall:
- reboot the device after uninstalling in settings|Add-ons (the disable eventListeners don't get called for uninstall)
- this check is only for certain add-ons that make preference changes that need to be reverted (e.g. movable homescreen button)
- we must check disabling:
- its good practise to have a clean boot after testing each add-on that affects system anyway.