Changes

Add-ons/Reviewers/Guide/Reviewing

5,134 bytes removed, 21:29, 19 January 2015

Validation

== Performing a Review ==

'''Reviewer Intro Tour:''' ask your guide to select an add-on for you to review. Don't submit your first review without their pre-approval!

Add-on reviewers have a ~~great~~ big responsibility. We need to ensure add-ons are safe to use, good quality, and clearly presented to our users. We also need to make sure developers get quick, clear, and actionable reviews.

AMO is designed so that popular and well-reviewed add-ons bubble to the top search rankings. The full and preliminary review levels also create two layers that allow us to list add-ons that are not quite ready for general consumption. Since we have good filtering mechanisms on AMO, our general policy is to '''only reject when strictly necessary'''. Rejection is necessary when an add-on has security issues, doesn't meet our content policies, or a few other cases which are spelled out in this guide. If an add-on doesn't meet the criteria for rejection, it should at least get preliminary approval.

==Policies and actions ==The rest of this page explains what our policies and recommended actions are for common add-on issues. Add-ons must be reviewed '''completely''', and all issues written down as they are found. Once the review is complete, the sum of all noted issues is used to determine what the review resolution should be, and all issues should be included in the notes sent to developers. = Step 1: Review Add-on Metadata ===

Before getting started, here's a very important legal note: reviews '''must not''' involve checking for copyright or trademark violations. You should not take '''any''' action on an add-on because you suspect it copies code from others without permission or may otherwise infringe somebody else's copyright or trademark. The DMCA is a law that gives us legal protection from being held responsible for copyright infringement by users who post content to our site, but only if our conduct qualifies us for such protection and we follow exactly the procedures laid out in the DMCA. Determining copyright or trademark infringement is complicated and you will not have enough information to make those determinations.

If you have any concerns about the legality or legitimacy of an add-on, please email amo-editors AT mozilla DOT org.

==== Policies and Actions ====

{| cellspacing="0" cellpadding="1" border="0" style="width: 80%"

|+

|-

! style="border-bottom: 2px solid black" scope="col" | ~~Policy~~ Issue

! style="border-bottom: 2px solid black" scope="col" | Action

! style="border-bottom: 2px solid black" scope="col" | Notes

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | ~~Empty name (the name is blank in default locale)~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Request More Information~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject if the name is not updated after 3 days.|- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border~~The add-~~bottom: 1px solid black;" | Missing~~ on doesn't provide enough information in its descriptions~~, missing testing information~~ for users to figure out what it does.| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Request ~~More Information~~ more information

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" |

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | ~~Add~~The add-on name and /or code appear copied ~~from~~ or very similar to a popular add-on (like ~~Firebug or~~ AdBlock Plus) .| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | ~~Admin Review / Notify mailing list~~ Request super-review| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | These add-ons can include ~~some form of~~ malicious code and trick users into thinking they are the original one. We accept add-on forks or with similar features, but we don't want to confuse users.

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" |

~~|- style="vertical-align: top;"~~

~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Add-on name or icon identical or very similar to existing, active listing~~

~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Admin Review~~

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | We want to avoid user confusion when selecting which add-on to install. It's OK to fork, but it should be clear what are the differences between very similar offerings.

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Other copyright suspicions

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | ~~Ignore~~ No action | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | We have a legal obligation *''not* '' to take action ~~unless the author of the original code files a DMCA complaint~~. ~~If you see any malicious intent in the copied add-on, follow the same Action as the previous policy.|- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Not compatible with~~ See note at the ~~current versions~~ beginning of ~~the application~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Add note~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | There's a canned response for~~ this ~~purpose. Reject if the maxVersion is lower than 4.0, unless it's a critical fix.|- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Missing Privacy Policy or EULA when necessary| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Preliminary Review~~ | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | These descriptions are necessary if the add-on handles user information remotely, or the user needs to agree to any terms in order to use the add-onsection.

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | ~~Questionable add-on relevance~~ Missing Privacy Policy when necessary

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Preliminary Review

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | ~~Carefully read the [[#Add-on_Relevance|Add~~A Privacy Policy is required if an add-on ~~Relevance]] section below. This policy should only be enforced on extreme circumstances.|- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | New version doesn't follow previous editor requests~~ ~~| style="padding: .5ex 1ex 1ex 0; border~~sends any user information to a remote server, even if it is not personally-~~bottom: 1px solid black;" | Preliminary Review~~ ~~| style="padding:~~ identifying.~~5ex 1ex 1ex 0; border-bottom: 1px solid black;" | If the author keeps submitting the same version, contact the mailing list~~Even stats pings require a Privacy Policy.

|}

==== Add-on Relevance ====

Add-~~on relevance should only matter if the add-on is obscure or difficult to review, or you think that it is too simple to~~ ons must not be ~~fully approved. In general you shouldn~~rejected because a reviewer doesn't find them useful. We let AMO users make ~~any assessments on add-on relevance~~that call, ~~since we have download counts, active daily users~~ and ~~user reviews to rank all~~ add-ons ~~on AMO~~that aren't very useful won't gain much usage and have low search rankings.

~~We have~~ In some cases, however, reviewers should deny full review to add-ons due to their usefulness. Add-ons that commonly fall into this category are:* Add-ons that help access very specific webpages. For example, an add-on that makes it easier to use an internal business site or a university library. * Add-ons targeted to a ~~very low admission threshold~~limited geographical area. For example, ~~but we~~ an add-on for a local city newspaper or radio station. * Add-ons that don't ~~want~~ do more than link to ~~fully publish~~ websites through buttons or menu items.* YouTube (or other) video downloaders. We already have too many add-ons ~~that will get at most a couple hundred downloads and will be mostly ignored during their lifetime~~of this kind, with little to no distinction between them. ~~In that case,~~ Unless the add-on provides something really innovative to video downloading, it should ~~at best receive a preliminary review~~ not get full approval.

~~Add-ons that commonly fall into~~ When in doubt, don't apply this ~~category are:~~ policy.

*Add-ons that help access very specific webpages. For example, an add-on that makes it easier to use an internal business site or a university library. *Add-ons targeted to a limited geographical area. For example, an add-on for a local city newspaper or radio station. *Add-ons that only add a toolbar or menu filled with website links, similar to plain bookmarks. *Add-ons that download video files from Flash video sites like YouTube. We already have too many add-ons like these, with little to no distinction between them. Unless the add-on provides something really innovative to video downloading, it should not get full approval.= Step 2: Automatic validation =

~~Assessing the relevance~~ We have a extensive set of an tests that identify common bad practices and possible security problems with add-on ~~can be difficult~~code. ~~In these cases you should leave~~ Reviewers must run the code validator and inspect the results when performing a review . Each Add-on History entry has a validation link, and you'll want to ~~somebody else or ask on~~ validate the ~~mailing list~~latest one.

~~=== Step 2~~[[Image: ~~Automatic~~ Validation-link.png|center|Add-on validation ~~===~~link]]

~~We have a extensive set~~ Clicking on the link will take you to the validation page, where the automatic code validator will run for that version of ~~static tests that identify common bad practices and possible security problems with~~ the add-on ~~code. You must always run the code validator~~ and ~~inspect~~ then the results ~~when performing~~ will be displayed. We recommend opening this link in a ~~review~~new tab.

~~Each Add-on History entry has~~ If the validator shows a validation ~~link. You~~error and no results, it'~~ll want to validate~~ s possible that reloading the ~~latest version.~~ ~~[[Image:Validation-link.png|center|Add-on~~ validation ~~link]]~~ ~~Clicking on~~ page will fix the ~~link will take you to~~ problem. If the ~~validation page, where~~ problem persists contact the ~~automatic code validator will run for that version of~~ review team on the #amo-editors IRC channel or pick a different add-on ~~and then the results will be displayed. It's usually best for navigation~~ to ~~open this link in a new tab~~review.

==== Policies and actions ====

{| width="~~700~~80%" cellspacing="0" cellpadding="1" border="0"

|-

! style="border-bottom: 2px solid black" scope="col" | ~~Policy~~ Issue

! style="border-bottom: 2px solid black" scope="col" | Action

! style="border-bottom: 2px solid black" scope="col" | Notes

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | ~~Missing file / Parse error / Validation error~~ Using eval, Function(), setTimeout, setInterval to evaluate JS code.

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | ~~|- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Obfuscated, minified or binary~~ eval can be allowed when it is used to patch Firefox functions with local code ~~| style="padding:~~ .~~5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | There's a canned response for this.|- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Obfuscated, minified or binary code,~~ setTimeout and setInterval can be used with ~~original sources included in XPI or provided link~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Admin Review~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" ||- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using eval, Function(), setTimeout~~hardcoded JS strings, ~~setInterval to evaluate remote code| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject~~ ~~| style="padding:~~ but using closures is preferred.~~5ex 1ex 1ex 0; border-bottom: 1px solid black;" |~~

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Remote script injection

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Add-ons can use data-only APIs, but should never download and execute remote code, not even in the scope of a webpage. Any use of the <script> tag (like createElement("script")) needs to be carefully analyzed.

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | <browser> or <iframe> elements with no type

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | See ~~canned response and~~ the [https://developer.mozilla.org/en/XUL/iframe#a-browser.type iframe documentation]. The type needs to be set to "content" (or "content-targetable", or "content-primary") ''before'' anything is loaded on that iframe. If the frame or browser is used to load chrome content, it's fine not to use a type as long as that's clear from reading the sourcecode.

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Inserting remote content with innerHTML

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | If The canned response points to the [https://developer.mozilla.org/en-US/Add-ons/Overlay_Extensions/XUL_School/DOM_Building_and_HTML_Insertion right documentation about this]. innerHTML will execute any JS code contained in the injected string, so it~~'s only local content, Add a Note~~ needs to ~~fix~~ be very clear that there is no executable code in it ~~on future versions~~. ~~There's a canned response~~The docs offer various ways to ensure this.

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using DOM Mutation events

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Preliminary Review

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Just add a note if this is a first warning and the add-on has been approved with this code before.~~|- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Conduit add-on without~~ [https://~~addons~~developer.mozilla.org/en-US/~~firefox~~docs/~~user~~Web/~~4959120 CONDUIT-AMO] as author~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" |~~ ~~|- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Conduit add-on with [https:~~API/~~/addons.mozilla.org/en-US/firefox/user/4959120 CONDUIT-AMO~~MutationObserver Mutation Observers] ~~as author~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Admin Review~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" |~~ ~~|- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | JS Library (like jQuery) included, but not in its original file. JS Library doesn't pass checksum validation.| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | SHA-256 hashes recognized by the validator~~ are ~~stored at http://mzl.la/amo-libs and [https://github.com/mozilla/amo-validator/blob/master/validator/testcases/static_hashes.txt]|- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Unicode characters (e.g. \u0060) in JS code~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject~~ | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Keep in mind these can be used safely inside strings. They're just not allowed to replace characters in JS code, since they can be used to bypass the ~~validator.|- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using eval, Function(), setTimeout, setInterval to evaluate local code~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Preliminary Review~~ | style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | One case that we accept is when eval is used to replace existing Firefox functions. This is very common for add-ons that change bookmarking or tabbing behavior. It is also allowed in known libraries like jQuery.~~|- style="vertical-align: top;"| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using the codebase_principal_support preference or enablePrivilege function~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Preliminary Review~~ ~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | They're deprecated~~recommended alternative.

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Native object prototype extension / Using Prototype library

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Preliminary Review

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | This only applies in XUL overlays, where the prototype extension affects the prototypes used by Firefox code and other overlays.

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Storing passwords or other sensitive user data in the preferences

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Changing security preferences, permissions, certificates (nsIX509CertDB)

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | ~~Admin Review~~ Request super-review

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" |

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using nsIProcess

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | ~~Admin Review~~ Request super-review

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" |

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using JS c-types

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | ~~Admin Review~~ Request super-review

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" |

~~|- style="vertical-align: top;"~~

~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Using Geolocation~~

~~| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Test~~

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Give Preliminary Review if the add-on doesn't ask the user for permission to use geolocation before getting geolocation data ([https://developer.mozilla.org/en-US/docs/Using_geolocation#Prompting_for_permission this is how users should be asked for permission]). Approve if it does.

|- style="vertical-align: top;"

| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Localization errors

|}

~~See the [[AMO:Editors/EditorGuide/AddonReviews/Security|security code review]] page for more detail on the above security rejection reasons.~~ ~~Most of the~~ There are many other ~~validator~~ validation flags ~~are not that important, but they should still be fully read and understood~~of varying importance. ~~When in doubt~~If you're unsure about which action to take, ~~check the help page or~~ please ask in on the mailing list.

=== Step 3: Code Review ===

Jorge.villalobos

Canmove, confirm

1,448

edits

Changes

Add-ons/Reviewers/Guide/Reviewing

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools