https://wiki.mozilla.org/api.php?action=feedcontributions&user=Anagekar&feedformat=atomMozillaWiki - User contributions [en]2024-03-29T12:17:06ZUser contributionsMediaWiki 1.27.4https://wiki.mozilla.org/index.php?title=Add-ons/Reviewers/Guide/Review_Decision&diff=1250212Add-ons/Reviewers/Guide/Review Decision2024-03-12T16:45:32Z<p>Anagekar: Changed certain verdicts, and added a few cases to align with the current set of guidelines on data collection policy</p>
<hr />
<div>= Review Decision Guidelines =<br />
<br />
This page provides guidance to support reviewers in making consistent review decisions based on our [https://extensionworkshop.com/documentation/publish/add-on-policies/ Review Policies]. In addition, it explains how to best communicate with the developer when conducting add-on reviews. It is a supplement to our [[Add-ons/Reviewers/Guide/Reviewing|Reviewer Guide]].<br />
<br />
== Completing the Review ==<br />
Add-ons must be reviewed '''completely''', noting issues in the review comments field as you find them. We want to avoid sending multiple partial reviews to developers and give them an opportunity to address all policy violations at once in their next submission.<br />
<br />
In the following sections we will explain how canned responses should be used for the issues you find and guide you through the review actions. Finally, you are guided on how to respond if you find issues that cover multiple review actions.<br />
<br />
=== Use of Canned Responses ===<br />
To ensure developers receive consistent, actionable responses from the review team, AMO makes use of canned responses that cover many of our policy issues.<br />
<br />
If no canned response is available for the issue you have found, you may write a custom response specific to the situation. Keep in mind that when writing a response to the developer, all responses must be in line with our policies. This is especially true when using custom responses. If you are unsure your response conforms with the policy, an admin reviewer will be able to assist you.<br />
<br />
In addition, we’d love to hear from you believe the response is useful to add to the official list of canned responses. We would much prefer that reviewers use the canned responses to ensure consistent replies, therefore adding new canned responses could be very useful.<br />
<br />
In some cases the developer responds to your review, either via email or by uploading a new version, making clear that they did not fully understand how to act upon the canned response. In such cases, sending the same canned response again will not help resolve the situation. Here it makes sense to explain the policy issue in a different, possibly more verbose way, using your own words.<br />
<br />
==== Example ====<br />
While the review comments field is free-form, we have a de-facto standard approach that lists the review issues in numbered lists each with a headline. Note that your text is inserted into an email that handles all the formalities, you should not need to begin your review with “Dear Developer” or sign with your name.<br />
<br />
Commonly, we use a numbered list item for each review issue, along with headings to separate sections as needed. Here is an example review text to give you an idea:<br />
<br />
<pre><br />
This add-on didn't pass review because of the following problems:<br />
<br />
1) We don't allow add-ons to use remote scripts because they can create serious security vulnerabilities. We also need to review all add-on code, and this makes it much more difficult. Please insert those scripts locally from your add-on code.<br />
- pages/inject.html line 8<br />
<br />
In addition, the following information is required to complete the review:<br />
<br />
1) Please provide us with detailed information on how to test this add-on. If authentication to a website is necessary, give us a test username and password to facilitate our work. This can be provided in the Whiteboard field, which can be found in the Edit Listing page under the Technical Details section. This information is only available to reviewers.<br />
</pre><br />
<br />
=== Reviewer Replies ===<br />
With a reviewer reply, you can convey information to the developer. You can use this action to answer questions the developer may have about your review. All communication between developers and reviewers is captured on the review history page.<br />
<br />
If you need the developer to take action, please make use of a delayed rejection instead. Doing so makes sure the correct email template is used and AMO knows to remind us when the developer has not responded to the request.<br />
<br />
If you are unsure how to answer a response from a developer, or the developer is disputing your review, please get in touch with admins to make sure the developer receives a reply. Involving a second reviewer to confirm your review can also be helpful if the developer does not want to accept your reasoning.<br />
<br />
=== Delayed Rejection ===<br />
If the add-on has minor policy issues that don’t require an immediate rejection, the delayed rejection action should be used. AMO will then reach out to the developer, asking them to resolve the issue within the requested time frame. If the developer fails to comply, the marked versions will be rejected.<br />
<br />
To use a delayed rejection, select “Reject Multiple Versions”, and select the option to delay the rejection. All versions you have selected will be rejected after the time passes. You will need to determine when the developer started to use the code in question, so you can determine which versions to reject. Generally it is sufficient to check back until the last reviewed version, for example using a [https://en.wikipedia.org/wiki/Bisection_(software_engineering) bisection] approach. If the issue also exists in that last reviewed version, you will need to track back further.<br />
<br />
If the developer responds, you will receive email with the developer’s response. At this time you should return to the review page to continue reviewing using the information you received from the developer. Note that the developer may follow up with further questions about the information you are requesting. In all cases, please answer developers in a timely manner ('''within 2 days'''). If you are answering questions that require no further action or response, please use the “reviewer reply” action.<br />
<br />
If you cannot complete the review after the developer has provided information, please at least check if the developer has provided the information you have requested and leave a comment on the version so that other reviewers can continue your work.<br />
<br />
Similarly, if you come across an add-on where the developer has provided information but the original reviewer has not followed up within that time, you are welcome to complete the review. The original reviewer may have prior knowledge that would speed up the review, but at the same time we do not want to keep developers waiting.<br />
<br />
=== Immediate Rejection ===<br />
Rejecting an add-on’s versions can mean anything from showing an outdated version of the add-on to completely hiding the listing from addons.mozilla.org (when rejecting all public versions). Especially in the post-review model where add-ons are reviewed after initial approval, a rejection can lead to frustration from the developer. At the same time, we need to ensure that there are no policy violations that threaten user security or privacy.<br />
<br />
'''Our general policy is to only reject immediately when necessary'''. Rejection is necessary when an add-on has security or privacy issues, doesn't meet our content policies, or fits one of the examples described later on.<br />
<br />
When rejecting the add-on, you will need to determine all affected versions using the same approach as for a delayed rejection. You can then select the option to reject immediately.<br />
<br />
In case of a rejection, developers may have questions on how to best resolve the policy issues, or if they have trouble understanding the message. Similar to the delayed rejection, please answer in a timely manner using the reviewer reply feature.<br />
<br />
=== Multiple Categories of Issues ===<br />
If you find multiple issues within the add-on where there are both delayed and immediate rejections, you may reject the add-on immediately. Please make sure to clearly separate information needed to complete the review from rejection reasons. An example on how this can be done is shown above.<br />
<br />
=== Super-Review ===<br />
Using the “Request Super Review” action will put the add-on into the admin queue. There are few select cases where this would occur, please see the examples below for further details. If you have a concern that needs immediate admin attention, please get in touch with the admins via the channel described in the Escalation section, as there are no specific notifications to admins when you request super review.<br />
<br />
=== Escalation ===<br />
There are certain cases that are severe enough that the reviewer actions on addons.mozilla.org are not sufficient and you must inform the admin team. This is especially true for [[Add-ons/Reviewers/Content_Review_Guidelines#Sexual_Content|reporting child pornography]], add-ons containing abusive functionality or being of malicious nature that must be blocked in accordance with our [[Blocklisting|blocking policy]].<br />
<br />
In such cases, you should contact the admin team via email at amo-admins [at] mozilla [dot] com. You can find more examples on when to escalate later on this page.<br />
<br />
== Examples ==<br />
The following sections show a few common examples on how to respond to certain policy violations. Please note however these are merely examples intended to convey the intent we have with the policies. It should not be considered a complete list of review decisions.<br />
<br />
=== No Surprises ===<br />
<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| The add-on sends all visited URLs to a third party service without adhering to the [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#No_Surprises no surprises requirements]. || Reject Immediately<br />
|-<br />
| The add-on uses means such as webRequest to circumvent the permission prompts for new tab page, homepage or search engine changes. || Reject Immediately<br />
|-<br />
| The add-on changes browsing behavior inhibiting user actions, such as closing or hiding about:addons or other special pages when opened. || Reject and Escalate Immediately<br />
|-<br />
| The add-on unexpectedly makes use of redirection to block the user from visiting certain sites without providing the user an option to circumvent the redirection. The add-on is violating the [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#No_Surprises no surprises policy]. || Reject Immediately<br />
|-<br />
| The add-on silently modifies web content, for example by exchanging words and images, or adding content. This feature is not part of the core functionality and is not described to the user in any way. || Reject Immediately<br />
|-<br />
| The add-on describes itself as e.g. “VPN Service”, while at the same time it also provides something completely unrelated to the add-on’s core function, such as altering the new tab page and providing affiliate search results.<br /><br />The additional features are not stated in the description, and there is no opt-in for the additional feature, violating the [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#No_Surprises no surprises requirements]. || Reject Immediately<br />
|-<br />
| An add-on provides UI to allow the user to make a no surprises choice, but the default action is to accept the choice (hence not an opt-in). || Reject Immediately<br />
|-<br />
| An add-on makes use of an “unexpected” feature as per no-surprises policy, but fails to indicate so in the add-on description. || Delayed Reject<br />
|}<br />
<br />
=== Content Policy ===<br />
The content review policies are detailed in separate guidelines. Here are a few select examples for the content policy:<br />
<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| Sexual Content: An add-on contains obscene or pornographic images in the icon, screenshots, or anywhere within the add-on UI. || Reject Immediately<br />
|-<br />
| Sexual Content: An add-on contains images of potential or actual child pornography. || Reject and Escalate Immediately<br />
|-<br />
| Hate Speech: The add-on listing or UI attacks a person or group based on the attributes described in the [https://www.mozilla.org/en-US/about/legal/acceptable-use/ acceptable use policy].<br /><br />If you are unsure certain phrasing is acceptable or not, please contact an admin. || Reject Immediately<br />
|-<br />
| Spam: The add-on clearly has the sole purpose of linking to a product or website and at the same time does not offer any functionality (e.g. “WATCH THIS MOVIE ONLINE”). || Reject Immediately<br />
|-<br />
| Spam: The listing contains a large amount of words and links unrelated to the add-on’s functionality clearly intending to increase SEO rating. || Reject Immediately<br />
|-<br />
| Trademarks: The add-on is named “Mozilla Frobnicator”, “Firefox Spice Dispenser” or similar, instead of “Frobnicator for Mozilla” or “Spice Dispenser for Firefox”. || Reject Immediately<br />
|-<br />
| Trademarks: The add-on is related to [https://getpocket.com/ Pocket], and is named “Pocket Reader” or similar, instead of “Reader for Pocket”. || Reject Immediately<br />
|-<br />
| The add-on’s code, functionality or service used indicates that payment is required to use the core functionality of the add-on but the developer has not selected this option in the listing. || Delayed Reject<br />
|-<br />
| The add-on only functions within a closed environment, such as only for employees of a specific company (“internal or private use”). || Reject Immediately<br />
|-<br />
| Users can only sign up to the service using a “contact us” link on the website. There is no apparent web sign-up process (“only accessible to a closed user group”).<br /><br />(Note that especially on sites with foreign languages, maybe you just missed it. Best to ask the developer to provide information on how a user would sign up. If they can’t provide the information or confirm there is no web sign-up process, the add-on can be rejected). || Reject Immediately<br />
|-<br />
| The add-on is a fork of another add-on, while not providing a significant difference in functionality or code. || Reject Immediately<br />
|-<br />
| The add-on listing is well described, but requires knowledge of the specific system being used in combination with the add-on. || Approve<br />
|-<br />
| The add-on advertises functionality as part of the extension, that is provided completely by a website or third party application. The add-on merely opens the website. || Reject Immediately<br />
|-<br />
| The add-on advertises itself as a companion for a website or third party application, and offers functionality to provide data to the website. The main functionality is provided by the add-on. || Approve<br />
|}<br />
<br />
=== Submission Guidelines ===<br />
<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| The add-on requires use of an external service that is only available with login credentials, and the developer has not provided them. || Delayed Reject<br />
|-<br />
| The add-on contains obfuscated code (as opposed to minified code). <br /><br/>(Please see the [https://developer.mozilla.org/docs/Mozilla/Add-ons/Source_Code_Submission#Use_of_obfuscated_code Source Code Submission] page on how to differentiate obfuscated and minified code. Not everything that is unreadable is obfuscated.)<br />
| Reject Immediately<br />
|-<br />
| The add-on contains obfuscated code that seems to intentionally violate the policy. || Reject Immediately and Escalate<br />
|-<br />
| The add-on contains transpiled, minified or otherwise machine-generated code and has not provided source code. || Delayed Reject<br />
|-<br />
| The add-on requests additional permissions that are not required for the add-on to function. || Delayed Reject<br />
|-<br />
| The add-on contains transpiled, minified or otherwise machine-generated code and the source submission relies on outdated or unmaintained build tools || Delayed Reject<br />
|}<br />
<br />
=== Development Practices ===<br />
<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| The add-on requests additional permissions that are not required for the add-on to function. The developer argues they will need them in a future update. || Delayed Reject<br />
|-<br />
| The add-on loads and executes remote code.<br/><br/>If there is reason to believe the add-on is intentionally loading remote code, please escalate to a block. || Reject Immediately<br />
|-<br />
| The add-on uses a http channel to exchange information, while it is possible for the developer to use https.<br/><br/>If the developer has control over the remote infrastructure and can enable servers to use https, you can reject as they need to take this step. If the choice of http is outside of the developers hands, you may approve. || Reject Immediately<br />
|-<br />
| The add-on makes use of http as a result of the user entering an url that uses http.<br/><br/>Note: If such URLs can be upgraded to https, the developer should make reasonable effort to inform the user about an insecure connection and attempt to upgrade to https. || Delayed Reject<br />
|-<br />
| The add-on contains a large amount of duplicate files, or files not loaded by the add-on. || Delayed Reject<br />
|-<br />
| There is a ''noticeable'' impact on performance, for example opening a new tab takes very long because the new tab page is very resource-intensive. || Reject Immediately<br />
|-<br />
| The developer has not provided links to third party libraries, the links do not point to the original maintainer’s website, the library does not match the original checksum from the developer.<br /><br /> The developer should be asked to provide the link where they received the library as per the [https://extensionworkshop.com/documentation/publish/third-party-library-usage/ Third Party Libraries Usage guidelines]. If there is any indication that the modifications are intentionally violating policy, please [https://extensionworkshop.com/documentation/publish/add-ons-blocking-process/ reject immediately and escalate]. || Delayed Reject<br />
|-<br />
| The add-on sets a new tab page that redirects to a remote page. || Reject Immediately<br />
|}<br />
<br />
=== Data Disclosure, Collection and Management ===<br />
<br />
This section has a few items related to the privacy policy. We do not check the privacy policy for correctness. We do however make sure the privacy policy is more than just a link and generally about the add-on.<br />
<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| The add-on uses a privacy policy which is merely a link to an external website. || Delayed Reject<br />
|-<br />
| On a quick skim, the privacy policy seems to be about a website more than it is about the add-on. || Delayed Reject<br />
|-<br />
| The add-on is listed and doesn't link to its privacy policy hosted on AMO on its data collection consent page || Delayed Reject<br />
|-<br />
| The add-on is listed and links to a self-hosted privacy policy (as opposed to AMO hosted) on its data collection consent page || Reject Immediately<br />
|-<br />
| The add-on is unlisted and doesn't link to a self-hosted privacy policy on its data collection consent page || Reject Immediately<br />
|-<br />
| The add-on makes use of native messaging, but does not explain the data exchanged with this application in the privacy policy. || Delayed Reject<br />
|-<br />
| After code review it is clear that the add-on exchanges data with a third party service, but the add-on description and summary do not include a summary of the information collected. || Delayed Reject<br />
|-<br />
| The add-on exchanges data with a native application via native messaging, but the data being exchanged is not summarized in the description nor mentioned in the privacy policy. || Delayed Reject<br />
|-<br />
| The add-on exchanges data with a native application, but the data is not declared in the data collection consent experience within the add-on. || Reject Immediately<br />
|-<br />
| The add-on provides a search box for Google, Bing, Amazon etc. and search requests go through another website. || Reject Immediately<br />
|-<br />
| The add-on collects tab urls and is sending them as part of a request that doesn’t relate to actions based on the URL. This is considered ancillary data collection. || Reject Immediately<br />
|-<br />
| The add-on collects personal data, technical data, or user interaction data, and does not have a consent prompt when the add-on is first run (e.g. installed). || Reject Immediately<br />
|-<br />
| The add-on has a consent prompt, but it does not describe the data being collected || Reject Immediately<br />
|-<br />
| The add-on has a consent prompt that makes use of dark patterns to entice the user to accept. || Reject Immediately<br />
|-<br />
| The main purpose of the add-on is to collect and analyze form data. Therefore, the add-on collects personal data such as the name and email of the user and sends the data to the service, but without an opt-in for personal data. || Reject Immediately<br />
|-<br />
| An add-on collects all visited browser URLs without notice, as part of a feature that does not relate to the primary functionality of the add-on. || Reject Immediately<br />
|-<br />
| The add-on exchanges data via native messaging that does not belong to the primary functionality of the add-on and fails to adhere to the [https://extensionworkshop.com/documentation/publish/add-on-policies/#no-surprises no surprises requirements]. || Reject Immediately<br />
|-<br />
| The consent experience only offers the option to accept the data collection. || Reject Immediately<br />
|-<br />
| The consent experience offers the option to accept or uninstall, but the main functionality of the add-on will technically work without this type of data collection.<br/><br/>If the developer argues that collecting the data is required for business purposes, e.g. to maintain the add-on, this does not warrant an accept or uninstall behavior. || Reject Immediately<br />
|-<br />
| The add-on collects technical data and does not provide a way for the user to disable this type of data collection. || Reject Immediately<br />
|-<br />
| The add-on combines both personal and technical data into one option and does not provide a way to control them separately. || Reject Immediately<br />
|-<br />
| An update to the add-on adds consent experience but it is only displayed to new users and not to existing users upgrading to a newer version. || Reject Immediately<br />
|-<br />
| An update to the add-on contains additional data collection but that data isn't declared in the consent experience and/or the consent isn't displayed again to existing users upgrading to this version. || Reject Immediately<br />
|-<br />
| The consent experience is not shown immediately after installation, but the add-on does not collect any data until the user sees the consent. (For example, consent experience is shown at browser action click). || Delayed Reject<br />
|-<br />
| The consent experience is not shown immediately after installation, but data is being collected before the user can see the control mechanism. || Reject Immediately<br />
|-<br />
| The add-on collects personal data, technical data, or user interaction data and does not have a consent experience. || Reject Immediately<br />
|}<br />
<br />
=== Additional Privacy Protocols ===<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
| The add-on passes on cookies or other user-sensitive information to a native messaging application. || Reject immediately<br />
|-<br />
| The add-on stores information about tabs, but fails to exclude storing information from private browsing mode tabs. || Delayed Reject<br />
|}<br />
<br />
<br />
=== Monetization ===<br />
Monetization follows the same data disclosure policies as for other data and includes a few extra provisions to set user expectations. We define monetization as a feature of the add-on that results in a potential monetary benefit for the developer.<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| The add-on monetizes by injecting ads into web pages, but fails to identify the content as belonging to the add-on. || Reject Immediately<br />
|-<br />
| The add-on includes a crypto-mining function that mines coins in the background for the profit of the developer. || Reject Immediately<br />
|-<br />
| The add-on contains a crypto-mining function for the profit of the user (this is still a performance issue). || Reject Immediately<br />
|-<br />
| The add-on shows information about crypto coins by querying a web service for information (this is not mining). || Approve<br />
|-<br />
| The add-on changes all Amazon/Yahoo/etc. links on web pages to add affiliate tags to profit the developer. || Reject Immediately<br />
|-<br />
| The add-on has links that include affiliate tags within the browser popup of the add-on. || Approve<br />
|}<br />
<br />
=== Security, Compliance &amp; Blocking ===<br />
<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| The add-on injects remote data into an extension page or web page using innerHTML or other methods without prior sanitation. || Reject Immediately<br />
|-<br />
| The add-on makes use of React’s ''dangerouslySetInnerHTML'' with remote unsanitized data. || Reject Immediately<br />
|-<br />
| The add-on makes use of remote CSS scripts, which can cause security vulnerabilities in combination with libraries such as React and Angular. || Reject Immediately<br />
|-<br />
| The add-on seems to be intentionally violating our policies, such as collecting a cryptocurrency private key and sending it to a remote server. || Force Disable and Block<br />
|}<br />
<br />
<br />
[[Add-ons/Reviewers/Guide/Reviewing|Previous: Reviewing]] [[Add-ons/Reviewers/Guide/Moderation|Next: Moderation]]</div>Anagekarhttps://wiki.mozilla.org/index.php?title=Add-ons/Reviewers/Guide/Review_Decision&diff=1250029Add-ons/Reviewers/Guide/Review Decision2024-02-20T10:23:31Z<p>Anagekar: Added examples as per new policy update (15-02-2024)</p>
<hr />
<div>= Review Decision Guidelines =<br />
<br />
This page provides guidance to support reviewers in making consistent review decisions based on our [https://extensionworkshop.com/documentation/publish/add-on-policies/ Review Policies]. In addition, it explains how to best communicate with the developer when conducting add-on reviews. It is a supplement to our [[Add-ons/Reviewers/Guide/Reviewing|Reviewer Guide]].<br />
<br />
== Completing the Review ==<br />
Add-ons must be reviewed '''completely''', noting issues in the review comments field as you find them. We want to avoid sending multiple partial reviews to developers and give them an opportunity to address all policy violations at once in their next submission.<br />
<br />
In the following sections we will explain how canned responses should be used for the issues you find and guide you through the review actions. Finally, you are guided on how to respond if you find issues that cover multiple review actions.<br />
<br />
=== Use of Canned Responses ===<br />
To ensure developers receive consistent, actionable responses from the review team, AMO makes use of canned responses that cover many of our policy issues.<br />
<br />
If no canned response is available for the issue you have found, you may write a custom response specific to the situation. Keep in mind that when writing a response to the developer, all responses must be in line with our policies. This is especially true when using custom responses. If you are unsure your response conforms with the policy, an admin reviewer will be able to assist you.<br />
<br />
In addition, we’d love to hear from you believe the response is useful to add to the official list of canned responses. We would much prefer that reviewers use the canned responses to ensure consistent replies, therefore adding new canned responses could be very useful.<br />
<br />
In some cases the developer responds to your review, either via email or by uploading a new version, making clear that they did not fully understand how to act upon the canned response. In such cases, sending the same canned response again will not help resolve the situation. Here it makes sense to explain the policy issue in a different, possibly more verbose way, using your own words.<br />
<br />
==== Example ====<br />
While the review comments field is free-form, we have a de-facto standard approach that lists the review issues in numbered lists each with a headline. Note that your text is inserted into an email that handles all the formalities, you should not need to begin your review with “Dear Developer” or sign with your name.<br />
<br />
Commonly, we use a numbered list item for each review issue, along with headings to separate sections as needed. Here is an example review text to give you an idea:<br />
<br />
<pre><br />
This add-on didn't pass review because of the following problems:<br />
<br />
1) We don't allow add-ons to use remote scripts because they can create serious security vulnerabilities. We also need to review all add-on code, and this makes it much more difficult. Please insert those scripts locally from your add-on code.<br />
- pages/inject.html line 8<br />
<br />
In addition, the following information is required to complete the review:<br />
<br />
1) Please provide us with detailed information on how to test this add-on. If authentication to a website is necessary, give us a test username and password to facilitate our work. This can be provided in the Whiteboard field, which can be found in the Edit Listing page under the Technical Details section. This information is only available to reviewers.<br />
</pre><br />
<br />
=== Reviewer Replies ===<br />
With a reviewer reply, you can convey information to the developer. You can use this action to answer questions the developer may have about your review. All communication between developers and reviewers is captured on the review history page.<br />
<br />
If you need the developer to take action, please make use of a delayed rejection instead. Doing so makes sure the correct email template is used and AMO knows to remind us when the developer has not responded to the request.<br />
<br />
If you are unsure how to answer a response from a developer, or the developer is disputing your review, please get in touch with admins to make sure the developer receives a reply. Involving a second reviewer to confirm your review can also be helpful if the developer does not want to accept your reasoning.<br />
<br />
=== Delayed Rejection ===<br />
If the add-on has minor policy issues that don’t require an immediate rejection, the delayed rejection action should be used. AMO will then reach out to the developer, asking them to resolve the issue within the requested time frame. If the developer fails to comply, the marked versions will be rejected.<br />
<br />
To use a delayed rejection, select “Reject Multiple Versions”, and select the option to delay the rejection. All versions you have selected will be rejected after the time passes. You will need to determine when the developer started to use the code in question, so you can determine which versions to reject. Generally it is sufficient to check back until the last reviewed version, for example using a [https://en.wikipedia.org/wiki/Bisection_(software_engineering) bisection] approach. If the issue also exists in that last reviewed version, you will need to track back further.<br />
<br />
If the developer responds, you will receive email with the developer’s response. At this time you should return to the review page to continue reviewing using the information you received from the developer. Note that the developer may follow up with further questions about the information you are requesting. In all cases, please answer developers in a timely manner ('''within 2 days'''). If you are answering questions that require no further action or response, please use the “reviewer reply” action.<br />
<br />
If you cannot complete the review after the developer has provided information, please at least check if the developer has provided the information you have requested and leave a comment on the version so that other reviewers can continue your work.<br />
<br />
Similarly, if you come across an add-on where the developer has provided information but the original reviewer has not followed up within that time, you are welcome to complete the review. The original reviewer may have prior knowledge that would speed up the review, but at the same time we do not want to keep developers waiting.<br />
<br />
=== Immediate Rejection ===<br />
Rejecting an add-on’s versions can mean anything from showing an outdated version of the add-on to completely hiding the listing from addons.mozilla.org (when rejecting all public versions). Especially in the post-review model where add-ons are reviewed after initial approval, a rejection can lead to frustration from the developer. At the same time, we need to ensure that there are no policy violations that threaten user security or privacy.<br />
<br />
'''Our general policy is to only reject immediately when necessary'''. Rejection is necessary when an add-on has security or privacy issues, doesn't meet our content policies, or fits one of the examples described later on.<br />
<br />
When rejecting the add-on, you will need to determine all affected versions using the same approach as for a delayed rejection. You can then select the option to reject immediately.<br />
<br />
In case of a rejection, developers may have questions on how to best resolve the policy issues, or if they have trouble understanding the message. Similar to the delayed rejection, please answer in a timely manner using the reviewer reply feature.<br />
<br />
=== Multiple Categories of Issues ===<br />
If you find multiple issues within the add-on where there are both delayed and immediate rejections, you may reject the add-on immediately. Please make sure to clearly separate information needed to complete the review from rejection reasons. An example on how this can be done is shown above.<br />
<br />
=== Super-Review ===<br />
Using the “Request Super Review” action will put the add-on into the admin queue. There are few select cases where this would occur, please see the examples below for further details. If you have a concern that needs immediate admin attention, please get in touch with the admins via the channel described in the Escalation section, as there are no specific notifications to admins when you request super review.<br />
<br />
=== Escalation ===<br />
There are certain cases that are severe enough that the reviewer actions on addons.mozilla.org are not sufficient and you must inform the admin team. This is especially true for [[Add-ons/Reviewers/Content_Review_Guidelines#Sexual_Content|reporting child pornography]], add-ons containing abusive functionality or being of malicious nature that must be blocked in accordance with our [[Blocklisting|blocking policy]].<br />
<br />
In such cases, you should contact the admin team via email at amo-admins [at] mozilla [dot] com. You can find more examples on when to escalate later on this page.<br />
<br />
== Examples ==<br />
The following sections show a few common examples on how to respond to certain policy violations. Please note however these are merely examples intended to convey the intent we have with the policies. It should not be considered a complete list of review decisions.<br />
<br />
=== No Surprises ===<br />
<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| The add-on sends all visited URLs to a third party service without adhering to the [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#No_Surprises no surprises requirements]. || Reject Immediately<br />
|-<br />
| The add-on uses means such as webRequest to circumvent the permission prompts for new tab page, homepage or search engine changes. || Reject Immediately<br />
|-<br />
| The add-on changes browsing behavior inhibiting user actions, such as closing or hiding about:addons or other special pages when opened. || Escalate<br />
|-<br />
| The add-on unexpectedly makes use of redirection to block the user from visiting certain sites without providing the user an option to circumvent the redirection. The add-on is violating the [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#No_Surprises no surprises policy]. || Reject Immediately<br />
|-<br />
| The add-on silently modifies web content, for example by exchanging words and images, or adding content. This feature is not part of the core functionality and is not described to the user in any way. || Delayed Reject<br />
|-<br />
| The add-on describes itself as e.g. “VPN Service”, while at the same time it also provides something completely unrelated to the add-on’s core function, such as altering the new tab page and providing affiliate search results.<br /><br />The additional features are not stated in the description, and there is no opt-in for the additional feature, violating the [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#No_Surprises no surprises requirements]. || Reject Immediately<br />
|-<br />
| An add-on provides UI to allow the user to make a no surprises choice, but the default action is to accept the choice (hence not an opt-in). || Delayed Reject<br />
|-<br />
| An add-on makes use of an “unexpected” feature as per no-surprises policy, but fails to indicate so in the add-on description. || Delayed Reject<br />
|}<br />
<br />
=== Content Policy ===<br />
The content review policies are detailed in separate guidelines. Here are a few select examples for the content policy:<br />
<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| Sexual Content: An add-on contains obscene or pornographic images in the icon, screenshots, or anywhere within the add-on UI. || Reject Immediately<br />
|-<br />
| Sexual Content: An add-on contains images of potential or actual child pornography. || Reject and Escalate Immediately<br />
|-<br />
| Hate Speech: The add-on listing or UI attacks a person or group based on the attributes described in the [https://www.mozilla.org/en-US/about/legal/acceptable-use/ acceptable use policy].<br /><br />If you are unsure certain phrasing is acceptable or not, please contact an admin. || Reject Immediately<br />
|-<br />
| Spam: The add-on clearly has the sole purpose of linking to a product or website and at the same time does not offer any functionality (e.g. “WATCH THIS MOVIE ONLINE”). || Reject Immediately<br />
|-<br />
| Spam: The listing contains a large amount of words and links unrelated to the add-on’s functionality clearly intending to increase SEO rating. || Reject Immediately<br />
|-<br />
| Trademarks: The add-on is named “Mozilla Frobnicator”, “Firefox Spice Dispenser” or similar, instead of “Frobnicator for Mozilla” or “Spice Dispenser for Firefox”. || Reject Immediately<br />
|-<br />
| Trademarks: The add-on is related to [https://getpocket.com/ Pocket], and is named “Pocket Reader” or similar, instead of “Reader for Pocket”. || Reject Immediately<br />
|-<br />
| The add-on’s code, functionality or service used indicates that payment is required to use the core functionality of the add-on but the developer has not selected this option in the listing. || Delayed Reject<br />
|-<br />
| The add-on only functions within a closed environment, such as only for employees of a specific company (“internal or private use”). <br/><br/> If the add-on has just been submitted to AMO, rejecting immediately is acceptable. Otherwise, delaying the rejection gives developers time to migrate their services to point to the new self-hosted location. || Delayed Reject<br />
|-<br />
| Users can only sign up to the service using a “contact us” link on the website. There is no apparent web sign-up process (“only accessible to a closed user group”).<br /><br />(Note that especially on sites with foreign languages, maybe you just missed it. Best to ask the developer to provide information on how a user would sign up. If they can’t provide the information or confirm there is no web sign-up process, the add-on can be rejected). || Delayed Reject<br />
|-<br />
| The add-on is clearly a fork of another add-on, while not providing a significant difference in functionality or code. (This should be a joint decision, we want to make sure not to block creativity by being too strict on “significant difference”) || Request Super Review<br />
|-<br />
| The add-on listing is well described, but requires knowledge of the specific system being used in combination with the add-on. || Approve<br />
|-<br />
| The add-on advertises functionality as part of the extension, that is provided completely by a website or third party application. The add-on merely opens the website. || Reject Immediately<br />
|-<br />
| The add-on advertises itself as a companion for a website or third party application, and offers functionality to provide data to the website. The main functionality is provided by the add-on. || Approve<br />
|}<br />
<br />
=== Submission Guidelines ===<br />
<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| The add-on requires use of an external service that is only available with login credentials, and the developer has not provided them. || Delayed Reject<br />
|-<br />
| The add-on contains obfuscated code (as opposed to minified code). <br /><br/>(Please see the [https://developer.mozilla.org/docs/Mozilla/Add-ons/Source_Code_Submission#Use_of_obfuscated_code Source Code Submission] page on how to differentiate obfuscated and minified code. Not everything that is unreadable is obfuscated.)<br />
| Reject Immediately<br />
|-<br />
| The add-on contains obfuscated code that seems to intentionally violate the policy. || Reject Immediately and Escalate<br />
|-<br />
| The add-on contains transpiled, minified or otherwise machine-generated code and has not provided source code. || Delayed Reject<br />
|-<br />
| The add-on requests additional permissions that are not required for the add-on to function. || Delayed Reject<br />
|-<br />
| The add-on contains transpiled, minified or otherwise machine-generated code and the source submission relies on outdated or unmaintained build tools || Delayed Reject<br />
|}<br />
<br />
=== Development Practices ===<br />
<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| The add-on requests additional permissions that are not required for the add-on to function. The developer argues they will need them in a future update. || Delayed Reject<br />
|-<br />
| The add-on loads and executes remote code.<br/><br/>If there is reason to believe the add-on is intentionally loading remote code, please escalate to a block. || Reject Immediately or Escalate<br />
|-<br />
| The add-on uses a http channel to exchange information, while it is possible for the developer to use https.<br/><br/>If the developer has control over the remote infrastructure and can enable servers to use https, you can reject as they need to take this step. If the choice of http is outside of the developers hands, you may approve. || Reject Immediately<br />
|-<br />
| The add-on makes use of http as a result of the user entering an url that uses http.<br/><br/>Note: If such URLs can be upgraded to https, the developer should make reasonable effort to inform the user about an insecure connection and attempt to upgrade to https. || Delayed Reject<br />
|-<br />
| The add-on contains a large amount of duplicate files, or files not loaded by the add-on. || Delayed Reject<br />
|-<br />
| There is a ''noticeable'' impact on performance, for example opening a new tab takes very long because the new tab page is very resource-intensive. || Reject Immediately<br />
|-<br />
| The developer has not provided links to third party libraries, the links do not point to the original maintainer’s website, the library does not match the original checksum from the developer.<br /><br /> The developer should be asked to provide the link where they received the library as per the [https://extensionworkshop.com/documentation/publish/third-party-library-usage/ Third Party Libraries Usage guidelines]. If there is any indication that the modifications are intentionally violating policy, please [https://extensionworkshop.com/documentation/publish/add-ons-blocking-process/ reject immediately and escalate]. || Delayed Reject<br />
|-<br />
| The add-on sets a new tab page that redirects to a remote page. || Reject Immediately<br />
|}<br />
<br />
=== Data Disclosure, Collection and Management ===<br />
<br />
This section has a few items related to the privacy policy. We do not check the privacy policy for correctness. We do however make sure the privacy policy is more than just a link and generally about the add-on.<br />
<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| The add-on uses a privacy policy which is merely a link to an external website. || Delayed Reject<br />
|-<br />
| On a quick skim, the privacy policy seems to be about a website more than it is about the add-on. || Delayed Reject<br />
|-<br />
| The add-on is listed and doesn't link to its privacy policy hosted on AMO on its data collection consent page || Reject Immediately<br />
|-<br />
| The add-on is listed and links to a self-hosted privacy policy (as opposed to AMO hosted) on its data collection consent page || Reject Immediately<br />
|-<br />
| The add-on is unlisted and doesn't link to a self-hosted privacy policy on its data collection consent page || Reject Immediately<br />
|-<br />
| The add-on makes use of native messaging, but does not explain the data exchanged with this application in the privacy policy. || Delayed Reject<br />
|-<br />
| After code review it is clear that the add-on exchanges data with a third party service, but the add-on description and summary do not include a summary of the information collected. || Delayed Reject<br />
|-<br />
| The add-on exchanges data with a native application via native messaging, but the data being exchanged is not summarized in the description nor mentioned in the privacy policy. || Delayed Reject<br />
|-<br />
| The add-on exchanges data with a native application, but the data is not declared in the data collection consent experience within the add-on. || Reject Immediately<br />
|-<br />
| The add-on provides a search box for Google, Bing, Amazon etc. and search requests go through another website. || Reject Immediately<br />
|-<br />
| The add-on collects tab urls and is sending them as part of a request that doesn’t relate to actions based on the URL. This is considered ancillary data collection. || Reject Immediately<br />
|-<br />
| The add-on collects personal data, technical data, or user interaction data, and does not have a consent prompt when the add-on is first run (e.g. installed). || Reject Immediately<br />
|-<br />
| The add-on has a consent prompt, but it does not describe the data being collected || Delayed Reject<br />
|-<br />
| The add-on has a consent prompt that makes use of dark patterns to entice the user to accept. || Delayed Reject<br />
|-<br />
| The main purpose of the add-on is to collect and analyze form data. Therefore, the add-on collects personal data such as the name and email of the user and sends the data to the service, but without an opt-in for personal data. || Reject Immediately<br />
|-<br />
| An add-on collects all visited browser URLs without notice, as part of a feature that does not relate to the primary functionality of the add-on. || Reject Immediately<br />
|-<br />
| The add-on exchanges data via native messaging that does not belong to the primary functionality of the add-on and fails to adhere to the [https://extensionworkshop.com/documentation/publish/add-on-policies/#no-surprises no surprises requirements].<br/><br/>In severe cases, such as when sensitive data is being exchanged, please reject immediately. || Delayed Reject<br />
|-<br />
| The consent experience only offers the option to accept the data collection. || Delayed Reject<br />
|-<br />
| The consent experience offers the option to accept or uninstall, but the main functionality of the add-on will technically work without this type of data collection.<br/><br/>If the developer argues that collecting the data is required for business purposes, e.g. to maintain the add-on, this does not warrant an accept or uninstall behavior. || Delayed Reject<br />
|-<br />
| The add-on collects technical data and does not provide a way for the user to disable this type of data collection. || Delayed Reject<br />
|-<br />
| The add-on combines both personal and technical data into one option and does not provide a way to control them separately. || Delayed Reject<br />
|-<br />
| An update to the add-on adds consent experience but it is only displayed to new users and not to existing users upgrading to a newer version. || Reject Immediately<br />
|-<br />
| An update to the add-on contains additional data collection but that data isn't declared in the consent experience and/or the consent isn't displayed again to existing users upgrading to this version. || Reject Immediately<br />
|}<br />
<br />
=== Additional Privacy Protocols ===<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
| The add-on passes on cookies or other user-sensitive information to a native messaging application. || Reject immediately<br />
|-<br />
| The add-on stores information about tabs, but fails to exclude storing information from private browsing mode tabs. || Delayed Reject<br />
|}<br />
<br />
<br />
=== Monetization ===<br />
Monetization follows the same data disclosure policies as for other data and includes a few extra provisions to set user expectations. We define monetization as a feature of the add-on that results in a potential monetary benefit for the developer.<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| The add-on monetizes by injecting ads into web pages, but fails to identify the content as belonging to the add-on. || Delayed Reject<br />
|-<br />
| The add-on includes a crypto-mining function that mines coins in the background for the profit of the developer. || Reject Immediately<br />
|-<br />
| The add-on contains a crypto-mining function for the profit of the user (this is still a performance issue). || Reject Immediately<br />
|-<br />
| The add-on shows information about crypto coins by querying a web service for information (this is not mining). || Approve<br />
|-<br />
| The add-on changes all Amazon/Yahoo/etc. links on web pages to add affiliate tags to profit the developer. || Reject Immediately<br />
|-<br />
| The add-on has links that include affiliate tags within the browser popup of the add-on. || Approve<br />
|}<br />
<br />
=== Security, Compliance &amp; Blocking ===<br />
<br />
{| class="wikitable" style="width: 100%"<br />
|-<br />
! scope="col" | Example<br />
! scope="col" style="width: 10.5em" | Verdict<br />
|-<br />
| The add-on injects remote data into an extension page or web page using innerHTML or other methods without prior sanitation. || Reject Immediately<br />
|-<br />
| The add-on makes use of React’s ''dangerouslySetInnerHTML'' with remote unsanitized data. || Reject Immediately<br />
|-<br />
| The add-on makes use of remote CSS scripts, which can cause security vulnerabilities in combination with libraries such as React and Angular. || Reject Immediately<br />
|-<br />
| The add-on seems to be intentionally violating our policies, such as collecting a cryptocurrency private key and sending it to a remote server. || Escalate<br />
|}<br />
<br />
<br />
[[Add-ons/Reviewers/Guide/Reviewing|Previous: Reviewing]] [[Add-ons/Reviewers/Guide/Moderation|Next: Moderation]]</div>Anagekarhttps://wiki.mozilla.org/index.php?title=Add-ons/Extension_Signing&diff=1246102Add-ons/Extension Signing2023-04-11T14:16:37Z<p>Anagekar: Typo fixed</p>
<hr />
<div>Mozilla requires all extensions to be signed by Mozilla in order for them to be installable in Release and Beta versions of Firefox. Extensions submitted on [https://addons.mozilla.org/ addons.mozilla.org (AMO)] are signed as part of the review process, and a [http://addons-server.readthedocs.io/en/latest/topics/api/signing.html signing service] is also offered. Additional information on the extension submission and signing process is [https://developer.mozilla.org/en-US/Add-ons/Distribution available on MDN].<br />
<br />
== Algorithm ==<br />
<br />
Extension signing is controlled by Mozilla and requires access to a private signing infrastructure exposed by [https://addons.mozilla.org/ AMO], and internal services like [https://github.com/mozilla-services/autograph Autograph].<br />
<br />
Add-ons and Extensions are XPI files (zip archives) where each file in the archives is hashed, and the manifest containing all the hashes is signed. When signing an extension, a manifest file containing the hash of each file in the XPI is first generated. The manifest file is stored in the signed XPI under '''META-INF/manifest.mf'''. The snippet below shows an example of manifest file.<br />
<source><br />
Manifest-Version: 1.0<br />
<br />
Name: install.rdf<br />
Digest-Algorithms: MD5 SHA1<br />
MD5-Digest: rzkfLZ5nC80leZsgMSGT3w==<br />
SHA1-Digest: +43YVUxeOYeiJeOKeJaRdancg5I=<br />
<br />
Name: bootstrap.js<br />
Digest-Algorithms: MD5 SHA1<br />
MD5-Digest: 2rUx2iRkGHx9yehpvoF2Wg==<br />
SHA1-Digest: 7F7q7SUdOpxp7EYDFLENUqrNWMo=<br />
<br />
Name: test.txt<br />
Digest-Algorithms: MD5 SHA1<br />
MD5-Digest: tT4aaxDCqRgFrpVHhe//Wg==<br />
SHA1-Digest: 8mPWZnQPS9arW9Tu/vmC+JHgnYA=<br />
</source><br />
<br />
A signature file is then created containing the hash of the manifest file (eg. `openssl dgst -binary -sha1 manifest.mf | base64`). The signature file is stored in the XPI under '''META-INF/mozilla.sf'''. An example is shown below:<br />
<source><br />
Signature-Version: 1.0<br />
MD5-Digest-Manifest: OlmmwIHcPmhoIt4uMxdh8A==<br />
SHA1-Digest-Manifest: 82zZH0Aq6GaTNMq+PnBlzep6fEA=<br />
</source><br />
<br />
A PKCS7 detached signature is computed on "mozilla.sf", using a signing certificate generated for each signature. The signing certificate, also called end-entity cert, is issued by an intermediate certificate of the Firefox private PKI. No special key usage or extended key usage is required in the end-entity cert, but its subject CN must match the add-on ID (for example, add-on ID test@tests.mozilla.org would have a cert CN set to that value).<br />
<br />
Note: If the add-on ID is longer than 64 characters, we use the SHA256 hash of the add-on ID in the end-entity subject CN, to work around issues with long string in certificates (see [https://bugzilla.mozilla.org/show_bug.cgi?id=1203787 bug 1203787]).<br />
<br />
The [https://tools.ietf.org/html/rfc2315 PKCS #7 (section 9.1 SignedData type)] signature is a binary file stored in the XPI under '''META-INF/mozilla.rsa'''. Because it is a standard PKCS7 signature, it can be verified using OpenSSL, as follows:<br />
<source lang:bash><br />
$ openssl cms -verify -inform der -in META-INF/mozilla.rsa -content META-INF/mozilla.sf -CAfile test.addons.signing.root.ca.crt -purpose any<br />
Signature-Version: 1.0<br />
MD5-Digest-Manifest: OlmmwIHcPmhoIt4uMxdh8A==<br />
SHA1-Digest-Manifest: 82zZH0Aq6GaTNMq+PnBlzep6fEA=<br />
<br />
Verification successful<br />
</source><br />
<br />
Both the end-entity and the intermediate certificates are also stored in the<br />
SignedData.Certificates document. The root cert is not stored in the document<br />
but shipped with Firefox directly.<br />
<br />
When installing add-ons, Firefox does the following verifications:<br />
<br />
* verify the signature of `mozilla.sf` using `mozilla.rsa`<br />
* verify the signing cert chains back to the Firefox Root CA<br />
* verify the hash of `manifest.mf` matches the hash stored in `mozilla.sf`<br />
* verify the hashes of all files in the XPI match the hashes stored in `manifest.mf`<br />
* verify all files in the XPI are listed in `manifest.mf`<br />
<br />
=== Signing of special add-ons ===<br />
There are three special cases of add-ons developed by Mozilla: System add-ons and Mozilla Extensions.<br />
<br />
* If the add-on is a system add-on, the Organizational Unit (OU) of the end-entity certificate must be set to "Mozilla Components".<br />
* If the add-on is a Mozilla Extension, the OU of the EE cert must be set to "Mozilla Extensions".<br />
* If the add-on is signed with the staging root, in Nightly you need to set the pref `xpinstall.signatures.dev-root = true` to tell Firefox to verify it<br />
<br />
refs:<br />
* https://searchfox.org/mozilla-central/source/toolkit/mozapps/extensions/internal/XPIProvider.jsm<br />
* Out-dated information about how XPIs were signed in the past: https://web.archive.org/web/20200105223104/https://developer.mozilla.org/en-US/docs/Archive/Add-ons/Signing_an_XPI<br />
<br />
== Documentation ==<br />
* [https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/ Introducing Extension Signing], Add-ons Blog.<br />
* [https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/ The Case for Extension Signing], Add-ons Blog.<br />
* [https://bugzilla.mozilla.org/show_bug.cgi?id=signed-addons Main tracking bug].<br />
* [https://extensionworkshop.com/documentation/publish/signing-and-distribution-overview/#distributing-your-addon Signing and distributing your add-on], Extension Workshop.<br />
<br />
== Timeline ==<br />
Check the [[RapidRelease/Calendar|Firefox Release Calendar]] for specific dates. The following timelines are for Desktop:<br />
<br />
* '''Firefox 40-42''': Firefox warns about signatures but doesn't enforce them.<br />
* '''Firefox 43''': Firefox enforces the use of signatures by default, but has a preference that allows signature enforcement to be disabled (''xpinstall.signatures.required'' in about:config).<br />
* '''Firefox 48''': (Pushed from Firefox 46). Release and Beta versions of Firefox for Desktop will not allow unsigned extensions to be installed, with no override. Firefox for Android will enforce add-on signing, and will retain a preference &mdash; which will be removed in a future release &mdash; to allow the user to disable signing enforcement.<br />
<br />
The first ESR version to include signing support will be the Firefox ESR 52 release. <br />
<br />
All Firefox extensions - for Desktop and Android - on AMO that have passed review are now signed.<br />
<br />
For unlisted (non-AMO) add-ons, submission and signing is active through [https://addons.mozilla.org AMO], and there is a [https://blog.mozilla.org/addons/2015/11/20/signing-api-now-available/ Signing API available] for automated submission and retrieval of unlisted add-ons.<br />
<br />
== Unbranded Builds ==<br />
<br />
Unbranded builds are available from the continuous integration builds on [https://treeherder.mozilla.org/#/jobs?repo=mozilla-beta treeherder.mozilla.org]. <br />
Make sure to download those builds from each OS which has the string addon next to it, select '''B''', then the Artifacts tab on the bottom and then download the required format target.zip, target.tar.bz2 or target.dmg for the required OS. Links to the latest beta and release builds are below. If they are outdated (they are not updated automatically), you can find builds yourself using the following links:<br />
<br />
* [https://treeherder.mozilla.org/#/jobs?repo=mozilla-release&searchStr=addon release]<br />
* [https://treeherder.mozilla.org/#/jobs?repo=mozilla-beta&searchStr=addon beta] (you may need to grow the list of changesets if there have been lots of locale updates, using the "10" or "20" buttons at the bottom of the page)<br />
<br />
=== Latest Builds ===<br />
<br />
'''Note:''' All Windows, Linux and Mac builds have a filename of target.zip, target.tar.bz2 and target.dmg, respectively. This is normal, and a result of the build process. <br />
<br />
'''Release builds''' <br />
<br />
Latest release (Firefox 107.0.1 - [https://hg.mozilla.org/releases/mozilla-release/rev/a9a9c8c68bad changeset a9a9c8c68bad]) builds:<br />
<br />
* [https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Oq38MGMjQWurD0H2NT6Fow/runs/0/artifacts/public/build/target.tar.bz2 Linux]<br />
* [https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/eKmg7lqYR0mYGFw8BTK3HQ/runs/0/artifacts/public/build/target.dmg Mac OSX]<br />
* [https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/WAk7XbKSSrGd4fgW_qtZnA/runs/0/artifacts/public/build/target.zip Windows 32-bit]<br />
* [https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/acBk24KkRGyLuq4B9PH7Xg/runs/0/artifacts/public/build/target.zip Windows 64-bit]<br />
<br />
'''Beta builds'''<br />
<br />
Latest beta (Firefox 108.0b9 - [https://hg.mozilla.org/releases/mozilla-beta/rev/c8001afe2852 changeset c8001afe2852]) builds:<br />
<br />
* [https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/INz3IM-nRseKkVVotNfe5Q/runs/0/artifacts/public/build/target.tar.bz2 Linux]<br />
* [https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/I6refEPVQZqq0uU3FNwNpA/runs/0/artifacts/public/build/target.dmg Mac OSX]<br />
* [https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/eMaGcx8fSGCn04j_FkpOvw/runs/0/artifacts/public/build/target.zip Windows 32-bit]<br />
* [https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/JMsCBdHoQxuCp4sb1CoOgQ/runs/0/artifacts/public/build/target.zip Windows 64-bit]<br />
<br />
== FAQ ==<br />
* Which add-on types will need to be signed?<br />
** Only extensions ([https://developer.mozilla.org/en-US/Add-ons/Install_Manifests#type type 2] in install.rdf)--this includes WebExtensions. Themes, dictionaries, language packs, and plugins don't need to be signed.<br />
<br />
* Will other applications like Thunderbird, Seamonkey, Palemoon, etc. require extensions to be signed?<br />
** The leaders of each of those projects will decide if they want to enforce signing, keep it as a setting, or deactivate it by default. We haven't heard about any other applications planning to support this.<br />
<br />
* Will signed extensions work on other applications or older versions of Firefox?<br />
** Yes, the signature system is built on top of the [https://developer.mozilla.org/en-US/docs/Signing_a_XPI existing add-on signing feature], which has been supported in Firefox and other applications.<br />
<br />
* Will there be a setting or other overrides to disable signature checks?<br />
** Firefox Release and Beta versions will not have any way to disable signature checks. Signature checks can be disabled in other versions, as described in detail below.<br />
<br />
* What are my options if I want to install unsigned extensions in Firefox?<br />
** The [https://nightly.mozilla.org/ Nightly] and [https://www.mozilla.org/firefox/developer/ Developer Edition] versions of Firefox have a preference to disable signature enforcement. There are also be special [https://wiki.mozilla.org/Add-ons/Extension_Signing#Unbranded_Builds unbranded versions of Release and Beta] that have this preference, so that add-on developers can work on their add-ons without having to sign every build. To disable signature checks, you will need to set the <code>xpinstall.signatures.required</code> preference to "false".<br />
*** type <code>about:config</code> into the URL bar in Firefox<br />
*** in the Search box type <code>xpinstall.signatures.required</code><br />
*** double-click the preference, or right-click and selected "Toggle", to set it to <code>false</code>.<br />
<br />
* How do the [[Add-ons/Extension_Signing#Unbranded_Builds|unbranded versions of Firefox]] work?<br />
** They work just like Firefox, with two differences: they have a setting to disable mandatory signature checks, and they don't have the Firefox name and logo (instead using a generic name and logo). These builds are available in the en-US locale only.<br />
<br />
* What about private add-ons used in enterprise environments?<br />
** The ESR release supports signing starting with version 45-based releases. Signing enforcement is enabled by default in these releases, and enforcement can be disabled using the <code>xpinstall.signatures.required</code> preference.<br />
<br />
* How do I get my add-ons signed if they are hosted on addons.mozilla.org (AMO)?<br />
** No action is required. We automatically sign reviewed versions of all add-ons currently hosted on AMO. All new versions will be signed automatically after they pass review. <br />
<br />
* How do I get my add-ons signed if they are not hosted on addons.mozilla.org (AMO)?<br />
** You will need to create an AMO account and submit your add-on. There will be an option where you indicate the add-on won't be listed on AMO, and you'll be able to submit your add-on files without having them published on the site. Please read the [https://developer.mozilla.org/en-US/Add-ons/Distribution Distribution Policy] for more details.<br />
** You can also use the [https://extensionworkshop.com/documentation/develop/web-ext-command-reference/#web-ext-sign web-ext sign] command to generate a signed XPI that can be self-hosted.<br />
** There is an [https://addons-server.readthedocs.io/en/latest/topics/api/signing.html API you can use] for signing.<br />
<br />
* How does the signing process work for unlisted add-ons?<br />
** For unlisted add-ons, files submitted for signing go through an automated review process. If they pass this review, they are automatically signed and a download link is sent back to the developer. This process should normally take seconds.<br />
** There is an [https://addons-server.readthedocs.io/en/latest/topics/api/signing.html API you can use] for signing.<br />
<br />
* Will I need to sign the custom version of an existing add-on I created with my own code changes, locale additions, etc.?<br />
** If you use it on Release or Beta, yes. You will also need to change the add-on ID in order to submit it for signing.<br />
<br />
* Is this a way for Mozilla to censor add-ons they don't like, enforce copyright, government demands, etc.?<br />
** No, the purpose of this is to protect users from malicious add-ons. We have [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews a set of guidelines] for when it is appropriate to blocklist an add-on and have refused multiple times to block for other reasons.<br />
<br />
* Will there be an upload and signing API so I don't have to manually upload each new version of the add-on?<br />
** Yes. The [https://addons-server.readthedocs.io/en/latest/topics/api/signing.html signing API is documented here].<br />
<br />
* Will this protect users against all forms of add-on malware?<br />
** No, there is no perfect solution for this. Fighting malware requires defenses on many levels: operating system,, application, user, and even industry. Extension signing is a big step in protecting Firefox against malicious add-ons, but there is much more to do in other fronts to ensure the best experience for our users.<br />
<br />
== Feedback and Questions ==<br />
For questions about signing, you can use [https://developer.mozilla.org/en-US/Add-ons#Contact_us any of our communication channels].</div>Anagekar