How to solve "We dont allow add-ons to use remote APIs"

svenj · September 4, 2017, 9:58am

Hello

I got this Feedback from a reviewer:

We don’t allow add-ons to use remote APIs because they can create serious security vulnerabilities. Please insert those APIs locally from your add-on code.

I do not understand the last sentence…

How to solve it? How to get data from remote sites (like to insert in local plugin database)?

I am wondering about this, because other toolbar also fetch data via API and they are not declined.

If here is a reviewer in forum, I can give extension name.

Thank you.
Best regards,
Sven

erosman · September 4, 2017, 12:37pm

Which addon is it?

Remote scripts are not allowed. Some scripts can be included in the addon.

svenj · September 5, 2017, 10:14am

Yes, but the reviewer wrote remote API. I think its a write error. Its the addon with that UUID

{60361262-f72d-484e-b047-a231a277c1de}

You checked the addon before and we resolved all open issues. Then another reviewer denied it with that confusing message…

Thank you for checking

erosman · September 5, 2017, 11:50am

Only Admin can find addons by their ID. I need a normal URL or at least a name.

svenj · September 5, 2017, 2:16pm

Name is: CASHCOW - Das CashBack-Tool
Account Username: wonderunited

erosman · September 5, 2017, 3:43pm

store.min.js is still minified and requires unminified source uploaded and then it goes into the admin queue.

There are 73 JS files. Do you need to use JQuery localisation with 58 minified JS files?

Where do you get a remote script?

svenj · September 6, 2017, 12:35pm

I dont know where to upload unmified source. But here is the github project with full sources:

I removed unused localisation files … Uploaded that in new version 0.1.7
What do you mean with last question? I dont use any remote script …

erosman · September 6, 2017, 12:42pm

That was the reason for rejection… remote script/API

So where does it happen so I can check?

svenj · September 6, 2017, 12:49pm

user.js Line 270 (Ajax Request)
user.js Line 343 (XMLHttpRequest)

erosman · September 6, 2017, 2:42pm

Depending on how the data is used, it can be OK.

Addon needs a privacy policy.
Data must be sent with user consent (opt-in or from user action e.g. login)
The received data (JSON), if inserted in a document, must be inserted as text (not html./innerHTML etc)

svenj · September 6, 2017, 3:05pm

Thank you for your reply.

(1) I can add privacy policy text under Login form?
(2) I add sentence to login form, that data will sent to login remote
(3) do you know a quote/secure function? I have to do something like this:
element.html(’[p]’+securefunc(rawdatafromjson)+’[/p]’)
Can I do that? Because I also must add static html + received raw data

I found that jQuery way:

‘[p]’+$(rawremotedata).text()+’[/p]’

erosman · September 6, 2017, 3:28pm

No… Privacy Policy for the addon.
We require add-ons which send potentially private or personally identifiable information to provide a Privacy Policy detailing what information is sent, and how that information is used and protected.

Privacy Policy should be an actual text, not just a link to a website.

Please go to Edit your addon

Manage Authors & License
Privacy Policy

Also mention in Addon’s description

No… that would get rejected

If you are using JQuery, something like this; (I dont use JQuery)

$('#box').append(
  $('<div/>')
    .attr("id", "newDiv1")
    .addClass("newDiv purple bloated")
    .append("<span/>")
      .text("hello world")
);

The important part is the remote data must be added as TEXT eg .text(rawdatafromjson)

svenj · September 7, 2017, 11:26am

Thank you for the feedback. I resolved all issues with new version 0.1.9. Please check …