Review doubts - Reviewers can you respond?


(sensible77) #1

Good day,

Could You kindly clarify my doubts?
By browsing the list of the last entries regarding “Blocklist Policy Requests” I have some doubts whether your action (reviewing) is incorrect or if the documentation is incorrect.
In a large number of cases, the reason for blocking addon is given: “Blocklist reasons: Remote script injection”. For example bug: 1534781

there is an entry in the code:

eval(xhr.responseText);

and in the manifest file:

“content_security_policy”: “script-src ‘self’ ‘unsafe-eval’; object-src ‘self’;”

according to the documentation, this is not prohibited: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy
"Allow the extension to use eval () and similar features, by including ‘unsafe-eval’ in the script-src directive. "

Question:
Is the reason for the block: “Remote script injection” is an misuse on your part or does the documentation describe parameters inconsistent with the amo policy?

Best Regards
s77


(Philipp Kewisch) #2

Hi s77.

The docs at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy generally describe the content security policy and what you can do with it.

This is unrelated to the policies for add-ons submitted to addons.mozilla.org. You can find our add-on policies at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Policy/Reviews. There it says, among other things, “Add-ons must be self-contained and not load remote code for execution”.

Thanks
Philipp