Awaiting review. 7 days until disabling of signed released versions

Add-ons
1

Hi

Like many of the posts here this is an appeal of last resort as we’ve tried commenting and replying to the “Mozilla Add-ons” email to no avail.

Our extension is self hosted and loaded via enterprise policy install_url. It has been active for 23 months, with each release previously getting automatically signed immediately. On the 20th January we were advised via email that our extension was manually reviewed and violates the “Sources” policy. It took us a moment to see the email, but we worked to resolve this as quickly as possible. From the 26th January every release now includes a source archive.

While being unable to release new feature or even patch versions is not great, our main concern is that in the email we were advised that existing signed releases would be disabled in 30 days. This would essentially be a denial of our service to customers and something they will very likely notice.

Due to the requirement for Mozilla to sign every extension, regardless of how it is distributed, there seems to be nothing we can do to solve this. While we can appreciate the noble goal of ensuring the safety of extensions released via the web store, if a company has decided to install an extension via managed policy install_url to their own endpoints, they have accepted that responsibility instead. Perhaps while Mozilla is working out its internal issues, the automatic signing could be enabled regardless of manual review status for self hosted extensions.

If someone from the Mozilla/Addon team could reach out to us that would be very much appreciated.

Addon/Extension ID: 087060454d874bf98f12

2

Hi @harmonic and thanks for reaching out.

I am Christos, Addons Sr. DevRel Engineer, part of the Mozilla Add-ons team. Please allow me to get back to you in detail early next week, after I have looped in the rest of the team.

In the meantime, could you please share the email you received from us?
I am curious because disabling a specific version of an Addon does not disable the entire Addon. The last approved and working version of the Addon, prior to the one being reviewed, will continue to operate. If the email states otherwise, we need to investigate it further or change the language to make it clearer.

Apologies for the inconvenience. I am awaiting your reply and will get back to you next week. Until then, wishes for a great weekend!

3

Hi Christos,

Thank you very much for your prompt response. The email in full as requested:

Hello,

Your Extension Harmonic Security was manually reviewed by the Mozilla Add-ons team in an assessment performed on our own initiative of content that was submitted to Mozilla Add-ons.

Our review found that your content violates the following Mozilla policy or policies:

  • Sources, specifically Sources missing: Your add-on contains minified, concatenated or otherwise machine-generated code. You need to provide the original sources, together with instructions on how to generate the exact same code used in the add-on. Source code must be provided as an archive and uploaded using the source code upload field, which can be done during submission or on the version page in the developer hub. All dependencies must either be included in the source code package directly or downloaded only through the respective official package managers during the build process. Instructions can be provided in a top-level README file inside the source code package or in the “Notes to Reviewers” field on the version page in the developer hub..

Affected versions: 1.31.0, 1.32.0, 1.33.0, 1.34.0, 1.35.0, 1.36.0, 1.37.0

Based on that finding, those versions of your Extension will be disabled on https://addons.mozilla.org/developers/addon/2836936/versions in 30 day(s). Once disabled, any public version affected will no longer be available for download from Mozilla Add-ons, anywhere in the world, but any compliant versions will remain in place, and you may choose to upload a new version that addresses the policy violation. Users who have previously installed the disabled versions will be able to continue using them.

More information about Mozilla’s add-on policies can be found at https://extensionworkshop.com/documentation/publish/add-on-policies/.

Thank you for your attention.

[ref:0f98d8d7-b258-4dc9-80ca-66028513bc02]

Mozilla Add-ons Team
https://addons.mozilla.org

Perhaps I am misinterpreting the impact of a disabled extension. One time I accidentally deleted a version that was still being used for internal testing. The warning that appeared in the extensions view at that time (September 2025) was:

This extension is restricted for violating Mozilla’s policies and has been disabled. You can enable it, but this may be risky.

So while the extension could be made to work, we would prefer not have that warning next to our extension in our customer deployments. In particular the “violating Mozilla’s policies” part caused some concern among our internal users.

Thanks again,

Harmonic

4

Hi Christos

We received an email 19 hours ago that states that the previously mentioned versions have now been disabled:

Affected versions: 1.31.0, 1.32.0, 1.33.0, 1.34.0, 1.35.0, 1.36.0, 1.37.0

The Add on Developer Hub confirms that these are “Disabled by Mozilla”. Note that I had actually gone back and added a source archive to each of these versions so they were no longer in violation.

On Monday all our pending extensions did get signed along with new ones so thank you for sorting that. However, we still have customers using 1.33.0 so this is a problematic situation for us.

Could the disabling of 1.33.0 please be reverted.

5

Hi Harmonic, I am happy to hear that all your versions were verified!

Regarding 1.33, even though the version is disabled, existing users are not affected:

Users who have previously installed the disabled versions will be able to continue using them.

Will reviewing and potentially enabling version 1.33, so new users can download it, benefit your business? If so, I can reach out to the reviewers and have them put in the reweing queue.

Also, due to the extremely long queue of reviews we currently have, we kindly invite you to address any compliance issues in advance (at least 48 hours before the disable date) so we have time to review them. That’s the main reason behind the 30-day compliance period before disabling them.

Last but not least, regarding the warning message about a disabled version:

This extension is restricted for violating Mozilla’s policies and has been disabled. You can enable it, but this may be risky.

Yes, even though that version can be used while being disabled, it was disabled for a reason, and that’s what we communicate to the user. If maintaining older versions of addons is a key priority for you, I can help you make those older versions compliant so your users won’t have those messages, which, if seen out of context, can alarm them.

Looking forward to working with you more closely, and wishing you a great weekend!
-Christos

6

Hi Christos, thank you for the quick response.

According to the review history for 1.33.0:

Source code uploaded by Harmonic Security 3 days ago (2026-02-16T16:59:15Z)

Rejected automatically after delay expired by Add-ons Review Team 21 hours ago (2026-02-19T18:01:06Z)

At the risk of being pedantic, we tried to address the compliance issue 73 hours prior to the deadline.

If Firefox is not showing any warning on the existing deployments of 1.33.0, then this is not an issue.

7

I just confirmed with engineering that your users won’t even notice that this version is disabled on AMO.

However, could you please walk me through how you got this policy violation message? Did you disable and enable the addon later, or did you delete it and install it locally from an XPI file?

8

Hi Christos,

So that policy violation occurred back in September 2025 when I was deleting old versions of the extension and accidentally removed 0.431.0 from the Developer Hub via the “Delete Version” button (we generate releases via CI/CD so was cleaning up release candidate builds). The extension was deployed via managed policy and that was the latest version at the time.