Dear Sir or Madam,
I am writing to you because of Mozilla’s new add-on policies. I am especially focusing on the point:
Encryption – standard, in-browser HTTPS – is now always required when communicating with remote services. In the past, this was only required when transporting sensitive information.
While I am supporting this new rule, I would like to ask, if there is any chance to be excluded from this policy. I am the developer of Domain Country, an add-on which allows you to retrieve the geographical information (and other data) about a given domain. To retrieve this data, Domain Country uses the API https://ip-api.com/. Unfortunately, this API requires a paid key to be accessible via HTTPS (Example URL: https://ip-api.com/json/mozilla.org). While I am very frustrated about this solution, I still decided to implement it, because I could not find another free API service. To still ensure that users are protected against Man-in-the-middle-attacks, I decided to manually validate the data after it is received (the code for Domain Country is open-source. This is the line, I’m talking about: https://github.com/Myzel394/domaincountry/blob/master/src/apis/fetchDomainInformation.ts#L94). Domain Country will also be continuously updated to ensure the user’s safety.
As a student with only low income it is also impossible for me to pay for https://ip-api.com/.
I hope you understand my problems and consider excluding Domain Country from the new add-on policy.