Add-ons/Reviewers/Guide/Review Decision: Difference between revisions

The following sections show a few common examples on how to respond to certain policy violations. Please note however these are merely examples intended to convey the intent we have with the policies. It should not be considered a complete list of review decisions. You will find the following actions:

 

* '''Escalate''': Make use of the [https://extensionworkshop.com/documentation/publish/add-ons-blocking-process/ blocking process] and/or make AMO admins aware of the issue.

| The add-on sends all visited URLs to a third party service without adhering to the [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#No_Surprises no surprises requirements]. || Reject Immediately

| The add-on uses means such as webRequest to circumvent the permission prompts for new tab page, homepage or search engine changes. || Reject Immediately

| The add-on changes browsing behavior inhibiting user actions, such as closing or hiding about:addons or other special pages when opened. || Escalate

| The add-on unexpectedly makes use of redirection to block the user from visiting certain sites without providing the user an option to circumvent the redirection. The add-on is violating the [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#No_Surprises no surprises policy]. || Reject Immediately

| The add-on silently modifies web content, for example by exchanging words and images, or adding content. This feature is not part of the core functionality and is not described to the user in any way. || Delayed Reject

| The add-on describes itself as e.g. “VPN Service”, while at the same time it also provides something completely unrelated to the add-on’s core function, such as altering the new tab page and providing affiliate search results.<br /><br />The additional features are not stated in the description, and there is no opt-in for the additional feature, violating the [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#No_Surprises no surprises requirements]. || Reject Immediately

| An add-on provides UI to allow the user to make a no surprises choice, but the default action is to accept the choice (hence not an opt-in). || Delayed Reject

| An add-on makes use of an “unexpected” feature as per no-surprises policy, but fails to indicate so in the add-on description. || Delayed Reject

| Sexual Content: An add-on contains obscene or pornographic images in the icon, screenshots, or anywhere within the add-on UI. || Reject Immediately

| Sexual Content: An add-on contains images of potential or actual child pornography. || Escalate

| Hate Speech: The add-on listing or UI  attacks a person or group based on the attributes described in the [https://www.mozilla.org/en-US/about/legal/acceptable-use/ acceptable use policy].<br /><br />If you are unsure certain phrasing is acceptable or not, please contact an admin. || Reject Immediately

| Spam: The add-on clearly has the sole purpose of linking to a product or website and at the same time does not offer any functionality (e.g. “WATCH THISMOVIE ONLINE”). || Reject Immediately

| Spam: The listing contains a large amount of words and links unrelated to the add-on’s functionality clearly intending to increase SEO rating. || Reject Immediately

| The add-on’s code, functionality or service used indicates that payment is required to use the core functionality of the add-on but the developer has not selected this option in the listing. || Delayed Reject

| The add-on only functions within a closed environment, such as only for employees of a specific company (“internal or private use”). || Delayed Reject

| Users can only sign up to the service using a “contact us” link on the website. There is no apparent web sign-up process.<br /><br />(Note that especially on sites with foreign languages, maybe you just missed it. Best to ask the developer to provide information on how a user would sign up. If they can’t provide the information or confirm there is no web sign-up process, the add-on can be rejected). || Delayed Reject

| The add-on listing is well described, but requires knowledge of the specific system being used in combination with the add-on. || Approve

| The add-on requires use of an external service that is only available with login credentials, and the developer has not provided them. || Delayed Reject

| The add-on contains obfuscated code (as opposed to minified code). <br /><br/>(Please see the [https://developer.mozilla.org/docs/Mozilla/Add-ons/Source_Code_Submission#Use_of_obfuscated_code Source Code Submission] page on how to differentiate obfuscated and minified code. Not everything that is unreadable is obfuscated.)  

| Reject Immediately

| The add-on contains obfuscated code that seems to intentionally violate the policy. || Reject Immediately and Escalate

| The add-on contains transpiled, minified or otherwise machine-generated code and has not provided source code. || Delayed Reject

| The add-on requests additional permissions that are not required for the add-on to function. || Delayed Reject

| The add-on requests additional permissions that are not required for the add-on to function. The developer argues they will need them in a future update. || Delayed Reject

| The add-on loads and executes remote code. || Reject Immediately

| The add-on uses a http channel to exchange sensitive information such as user credentials. || Reject Immediately

| The add-on contains a large amount of duplicate files, or files not loaded by the add-on. || Delayed Reject

| There is a ''noticeable'' impact on performance, for example opening a new tab takes very long because the new tab page is very resource-intensive. || Reject Immediately

| The developer has not provided links to third party libraries, the links do not point to the original maintainer’s website, the library does not match the original checksum from the developer.<br /><br /> The developer should be asked to provide the link where they received the library as per the [https://developer.mozilla.org/en-US/Add-ons/Third_Party_Library_Usage Third Party Libraries Usage guidelines]. If there is any indication that the modifications are intentionally violating policy, please [https://extensionworkshop.com/documentation/publish/add-ons-blocking-process/ reject immediately and escalate].

|| Delayed Reject

| The add-on makes use of nativeMessaging. || Request Super Review

| The add-on sets a newtab page that redirects to a remote page. || Reject Immediately

| The add-on uses a privacy policy which is merely a link to an external website. || Delayed Reject

| On a quick skim, the privacy policy seems to be about a website more than it is about the add-on. || Delayed Reject

| After code review it is clear that the add-on exchanges data with a third party service, but the add-on description and summary do not include a summary of the information collected. || Delayed Reject

| The main purpose of the add-on is to collect and analyze form data. Therefore, the add-on collects personal data such as the name and email of the user and sends the data to the service, but without an opt-in for personal data. || Reject Immediately

| An add-on collects all visited browser URLs without notice, as part of a feature that does not relate to the primary functionality of the add-on.<br /><br />This is considered collecting ancillary information not explicitly required for the add-on’s basic functionality. || Reject Immediately

| The add-on collects personal data or passwords and sends it via http to a service. || Reject Immediately

| The add-on exchanges data with a native application via native messaging, but the data being exchanged is not summarized in the description nor mentioned in the privacy policy. || Delayed Reject

| The add-on exchanges data via native messaging that does not belong to the primary functionality of the add-on and fails to adhere to the [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#No_Surprises no surprises requirements].<br/><br/>In severe cases, such as when sensitive data is being exchanged, please reject immediately. || Delayed Reject

| The add-on stores information about tabs, but fails to exclude storing information from private browsing mode tabs. || Delayed Reject

| The add-on provides a search box for Google, Bing, Amazon etc. and search requests go through another website. || Reject Immediately

| The add-on injects remote data into an extension page or web page using innerHTML or other methods without prior sanitation. || Reject Immediately

| The add-on makes use of React’s ''dangerouslySetInnerHTML'' with remote unsanitized data. || Reject Immediately

| The add-on makes use of remote CSS scripts, which can cause security vulnerabilities in combination with libraries such as React and Angular. || Reject Immediately

| The add-on has a monetization feature but does not present a user control mechanism at startup. || Delayed Reject

| The monetization feature sends personal data, but the user control mechanism at startup is not an opt-in (e.g. default choice is to accept). || Reject Immediately

| The add-on sends data unrelated to the add-on’s function (ancillary data) specifically for monetization purposes. || Reject Immediately

| The add-on monetizes by injecting ads into web pages, but fails to identify the content as belonging to the add-on. || Delayed Reject

| The add-on includes a crypto-mining function that mines coins in the background for the profit of the developer. || Reject Immediately

| The add-on contains a crypto-mining function for the profit of the user (this is still a performance issue). || Reject Immediately

| The add-on shows information about crypto coins by querying a web service for information (this is not mining). || Approve

| The add-on changes all Amazon links on web pages to add affiliate tags to profit the developer. || Reject Immediately

| The add-on has links that include affiliate tags within the browser popup of the add-on. || Approve