Is it possible to develop a paid extension?

I think I have a really good and usefull tool idea in mind, since the efforts, time and maintenance would put some costs I was wondering if it is possible to develop a “paid” or “licensed” extension other than the usual “donate if you like” since this add-on will need some resource on my side other than time.

From what I understand you can require payment to enable features when it is a listed extension, but you have to disclose what you have to pay to unlock things. There’s also a flag for the listing to indicate that the extension has features that require payment.

The only relevant resource I could find is https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews#Content

I’m not sure what the rules for unlisted extensions is, but there is probably no explicit need for disclosure, since you control distribution yourself.

1 Like

I don’t know where in the documentation I read this, but I’m pretty sure it is stated somewhere that listed extensions musten’t be useless without the payment.

So payment to disable ads or to unlock “advanced” features is fine, but having an extension where the first and only thin a user gets is a paywall is not. And I don’t think you’d get away with a trail period either.

1 Like

Due to complexity of functions I can have a “free edition” and offer extra functionalities upon payment, also in consideration that the most resources are used by the latter.

If I get it right, add-on with paid “extras” cannot be listed in AMO?

They can be listed on AMO, they must just declare that they have such paid features. And there’s a checkbox you should check, which adds this little info tag on the listing: image

1 Like

I was hasty, further reading your link there is a mention:

Add-ons must disclose when payment is required to enable any functionality.

I read this any functionality like also any of the functionalities however if it need to offer something given “for free” to be published I can accept that, the features I have in mind needs to communicate with a dedicated software hosted on AWS, I’m not even totally sure if I can have an extension comunicate with a web server or service in general, but this is the requirement that will allow me to provide the functionalities.

Would you mind sharing how you intend to “unlock” functionality of your extension and verify payment?

I’ve been wondering about this for sometime and don’t have a good understanding of how tamper proof extension code and data is, such that it could be used to verify payment and unlock portions of code.

Thank you.

Hi, it comes to normal coding, imagine ho e-commerce works; you could redirect users to your website and have them buy a license from you.

Thank you for responding to my question. I may likely be overlooking something very simple. I’m trying to understand how one could provide the full functionality in a web extension, with some portion turned off until a license is purchased, and then turn on the rest of it after purchase. Could you please point me to some information that would help me to understand the following? Thank you.

Once a license has been purchased, how is the web extension “informed” to turn on the full functionality?

How can one prevent someone from simply turning that functionality on without purchasing a license?

I am assuming that the full functionalilty must be provided in the extension with the purchaseable portions turned off. Once a license is purchased, some type of purchase validation is performed between the web site and the extension that “informs” the extension that purchase has been made by setting some variable to true, for example, which then permits the extension to provide the full functionality.

Could someone not set that variable to true without purchasing? And, if not, how do you limit the purchase to work on one or a set number of machines only?

I thought extension code is visible to all users and anyone who understands it could write a script to alter the stored data and invoke any functions of the extension. Thus, I don’t understand how an extension could not easily be altered to bypass a required purchase.

Thank you.

This boils down to similar mechanisms as all software licenses/DRM do. You need some way of verifying that a user is allowed to use a certain feature. And also has the whole tail of piracy/circumvention, as always. So you’ll likely want to research that. It likely involves having some server that knows ground truth about if a user is allowed to access a feature. Usually this is coupled to having an account with the company, in the case of password managers for example.

It is a really trivial part once you find a really cool idea to implement, it must be something really useful and not already present, this is the hard part I think.

You could for example have a setting where a user would enter a license key, or if possible bind it to their google/firefox accounts aswell, so no need for a license aswell. Given this part you can just sew functionality making calls to a webservice that you run and which responds accordingly, needless to say that you can encrypt the data you are sending, and only the receiver with a good license will be able to read.

Thank you both for the answers.

In the scenario provided by elnath78, is it correct that the added functionality for purchase that was mentioned would not exist in the web extension code itself but on a server, and the extension would just provide the means of access to and communication with it?

I, perhaps, am not using a web extension as it is intended. I would like nearly all the code to exist within the extension such that the user can use the majority of it offline, almost as a desktop application. A large portion of the people I had in mind in building the extension won’t have continual access to the internet to be connected for long periods of time.

The extension has a “build” side and a “run” side, both of which can be performed completely offline. Through the extension, when online, users can choose to share what they have built with others. All one would have to do to use a shared file is download it and “run” it offline through the extension.

I have this part working but there are three items I have been considering and struggling to understand.

  1. If I were to attempt to sell the extension for a small fee, although I can require an online registration of the extension to verify purchase and turn it on, since the main code is in the extension it appears that one who understand extensions could easily circumvent it.

  2. What if a user who built a module through the extension wanted to share it with others to be run but not be opened in the build side? I can think of ways to make that work but not one that is very strong since it would have to be done within the extension code.

  3. Since it can take considerable time to build a useful module through the extension, I wondered if there was a way to make it possible for others to sell their modules for a small fee.

Although I can think of ways to do these that would be somewhat difficult for one to figure out without working at it, none of them are very strong since the successful online verification step must somehow be logged and saved within the extension so that the files can be run offline, which makes it visible to someone to ascertain.

So, in this respect, it doesn’t appear to be possible to make it very effective.

Of course, few people may be interested in the extension anyway and it wouldn’t be worth it to anyone to bother to figure out how to circumvent these items. So, putting in some type of verification would be good enough.

Thank you.

EDIT:
It has been several months since I read over the MDN documents on publishing extensions; so, I was reading them over this evening and noticed the one on how to make money from browser extensions.

Under the section entitled “Implementing a payment and licensing mechanism”, four bullets are provided and it appears that storing a hash code of the license key rather than the key itself in the browser is considered a reasonable approach. And the “Developer Tip” in this same section recommends not spending much time trying to secure the hash code. I’m not sure I understand the logic for why, but the information is useful for someone with my limited understanding in this area.

consider that whatever works offline is now subject to hack, you have no means to verify any license in this case.

Thank you. I understand that in general; but, to be more specific, please consider the following scenario.

  1. Upon purchase, a license key is sent to the user.

  2. Through the extension pages, the license key is entered by the user and submitted to the server.

  3. The server verifies that it is a valid key and returns a hash code of the key to be stored within the browser, possibly along with some personal user information such as a pin, as a means of “turning on” added features.

Under this scenario, what really turns on the added features? Is it just testing for the presence of the hash code and pin, indicating that the verification was once performed? Or, is it passed to the server every time an added feature is invoked?

My point is that as long as that key, in any form, is stored within the browser, whether the added features are held within the extension or on a server, is it not possible for a user to determine the key through viewing the extension code and data?

I’m not implying that an extension is so important that it warrants a high level of protection. I just want to understand it.

My first thought was to provide a license key and then hold it in a table on the server along with the user’s ip address, such that each key could be used on only one computer at a time. This would be performed as a one-time online registration after which all the code in the extension would function offline. I figured I could periodically in the background re-validate that the key and ip address match, when the user goes online again. But the key, in some form, would have to be stored in the browser and, therefore, could be determined by the user.

So, I don’t see the difference between having the feature code in the extension or on a server, in terms of validating a license key since that key has to be stored in the browser regardless.

Thank you.

Hi Gary,

There are tools that can record every file/registry action performed by an app. Now all the software that we use require online activation for a purpose, you can make it as much complex as you think it is, but the only secure way to protect your work is to perform online checks. If you want to also limit the users each license gives you also must extend this functionality.

Thanks, Stefano. I understsand your comments about needing online activation and online checks. What I’m not understanding is how, even with online activation and checks, the license information is ever secure; because the information used to perform the checks is stored in the browser. At least that is the suggested method provided in the MDN document about making money with extensions.

The third bullet under “Implementing a payment and licensing mechanism” reads that, upon purchase/activation, a hash code of the license key is stored in the browser. The fourth bullet reads that each time the added functions are used, the hash code is checked for validity on the server.

So, if one were to purchase a license to use the added functionality of your extension and activated it online, such that your server sent back and stored a hash code of the license key (or any value/code you develop) in the browser, could one not, with some effort perhaps, locate that value/code in the browser data? Then, one could write a script instructing an unactivated copy of your extension to write that same value/code to the same browser data property, such that when the added features are used, the browser would send your server that valid code which would pass the online check and the added features could be accessed?

I may be misunderstanding but, at this point, it appears that no matter how secure the server checks are, the browser is the weak point because some code must be stored in the browser to be sent to the server for validation; and that code is discoverable in the browser.

Is it correct that there is no way to perform the online checks without storing some form of encoded license key in the browser?

And, if so, is it correct that the best that can be done in the browser is to make it as complicated as possible to locate that code?

Thank you. I appreciate you putting up with my ignorance in this area.

There are may ways of binding a software, one simple could be paid use, a user buy for example 100 tokens, each call to the app will consume some amount, this way sharing the license to other would not matter for you, it is also a good solution in case you want to limit or present the sharing of paid app to other people.

Thank you, Stefano. I never thought of anything like that before.

I likely won’t be employing a technique like this because I very much want the extension to work offline after a one-time online activation. But it is interesting to know. Thanks again.