Self-hosted addon review process

Hi all, I have recently created a new addon and have used the web-ext sign CLI to get a signed version. Currently I am self hosting this addon. Today I thought I’d give it a try using the Firefox UI to upload a new version. I noticed that after I uploaded the file and clicked ‘Sign Addon’, I was navigated to a screen which asked me to submit source code. Do i need to do this for a self hosted addon? Without uploading the source code or clicking continue or cancel version, Firefox had already approved the sign addon.

I’m also wondering if it might be just a bug that it asks you to upload source code submission for a self hosted addon?

Hi @hmx789! This is a great question. Self-hosted extensions are still subject to review after publication. For all submitted extensions, though, we only recommend developers include their source code during submission if their extension uses code that is difficult to read, like code generated by minification or obfuscation.

We have more information about when developers should submit their source code on Firefox Extension Workshop. If your extension doesn’t meet those criteria, you don’t need to include it during the submission process.

Hi Cait! thanks for replying. Can you define what it means to be a submitted extension? Is it any extension that is signed? whether it’s on AMO or self hosted?

I think based on the criteria I will need to include source code during submission, but I was hoping it would not be needed for a self-hosted addon lol.

I know…I know I’m filled with questions today lol

If addons are automatically signed when they are self hosted, and published. What happens if the review fails?

For the users who had already downloaded the addon using the link before the review failed, are they still able to use the extension?

No worries. :slight_smile: “Submission” means uploading a new extension or a new version of an extension for signing, regardless of where it will be hosted.

A review rejection won’t impact users who have already installed your extension. You can read more about what to expect from a review rejection here.

1 Like

Thanks for the link, It clarified a lot of the information I was missing.

It seems to me that review rejections mostly impact addons listed on AMO.

If an earlier version of your extension is public, this becomes the one seen by visitors to AMO.
If there is no public version of your extension to display, your extension's listing on AMO is suspended. This means that your extension no longer appears in any lists on AMO, nor will it be returned in the results of searches performed by AMO visitors. Should someone follow an external link to your extension listing, they will arrive at a 404 page.

I think where my confusion lies is If the review is rejected for a self-hosted extension, can’t I still distribute my self-hosted extension using the signed file?

If the answer to the question above is yes, why would I have to worry about a review rejection for a self-hosted extension if I can still distribute my signed addon?

If the answer to the initial question is no, how would Mozilla stop users from downloading the signed extension file?

Hi @hmx789. You’re right – review rejections don’t have as much of an impact on self-hosted extensions. However, if your add-on is found to compromise user safety and/or privacy, we will block it.

2 Likes