Worst Developer Experience

It’s been more than 2 weeks for doing back and forth on AMO. All other browser extensions were approved and even updates were pushed. We are holding our release for Firefox extension to get approved.

List of fucked up things with AMO:

  1. They don’t understand third party libraries. TypedJs is not a recognized library, however, it has more than 4.7k stars on Github and companies like Slack are using it in production.
  2. If you add source code, it goes to admin review. WTF?
  3. Pending queue behaves in a weird way.
  4. Why so much time in approving an extension, when all other browsers take a maximum of 1 day.

This is the worst developer experience I have ever had, who has also used Microsoft Azure.

Good luck with keeping Mozilla alive.

As a developer I hate AMO review process.
As a user I love AMO review process.

I had addons denied because they were running remote code but on the other side, I never have to worry about malware/adware getting into my PC trough Firefox. Chrome Web Store is riddled with malware/adware. I am afraid to install stuff from CWS :slight_smile:

You can make your extension an unlisted extension. No review but no AMO either. You can publish it on your site or on github. Users can install with 1 click and you can ship them updates. It gets from source code to published and signed extension in 1 minute. I can help if you want.

Firefox offers a fast lane that is good for devs(unlisted) and a slow lane that is good for users(listed) and they are all digitally signed.

5 Likes

For the record, there is no remote code execution. Reasons were silly, that’s why I am frustrated.

For the record, other browser extensions have been updated 4th time in this span.

There are addons with 100,000+ lines of code. During the Mozilla review, they all have to be checked. Every day, someone tries to pass malware by hiding it in the minified obfuscated code.

Established libraries like JQuery, are checked by admin and approved to pass as long as they are identical to the original (same hash).

Even above libraries sometimes develop vulnerabilities. For example Angular before 1.5.9 had issues.

People include code like this:

function z8c231aa888(z14851c4b0f){return z14851c4b0f;}function z0ab1f0a49e(
z0721975593){document.write(z0721975593);}function zcd8c17c79d(z4716861143,
z500f443098,z9bc82e0042){z0ab1f0a49e(
"\x3c\x74\x61\x62\x6c\x65\x20\x62\x6f\x72\x64\x65\x72\x3d\x31\x3e");for(var 
zd1ea46315e=(0x8e9+2039-0x10e0);zd1ea46315e<z4716861143.length;++zd1ea46315e){
var z708eb69ac7="\x3c\x74\x72\x3e";eval(z500f443098);z0ab1f0a49e(z708eb69ac7);
for(var z2d29194d43=(0x139b+2094-0x1bc9);z2d29194d43<z4716861143[zd1ea46315e].
length;++z2d29194d43){var z23b8891aeb="\x3c\x74\x64\x3e",z7f5411ee29=
"\x3c\x2f\x74\x64\x3e";eval(z9bc82e0042);z0ab1f0a49e(z23b8891aeb);z0ab1f0a49e(
z4716861143[zd1ea46315e][z2d29194d43]);z0ab1f0a49e(z7f5411ee29);}}z0ab1f0a49e(
"\x3c\x2f\x74\x61\x62\x6c\x65\x3e");}zcd8c17c79d([[(0x2d7+5314-0x1798),
(0xf7c+295-0x10a1),(0x900+1599-0xf3c)],[(0x1e8+1063-0x60b),(0xfc1+580-0x1200),
(0x1cf5+1843-0x2422)],[(0x9f9+4410-0x1b2c),(0x1c6+8452-0x22c2),
(0x28a+2774-0xd57)],[(0xcc0+2614-0x16ec),(0x7ee+1483-0xdae),(0xab2+6657-0x24a7)]
,[(0xa14+2966-0x159d),(0x63c+7549-0x23ab),(0x7e2+5079-0x1baa)],[
(0x14bc+296-0x15d4),(0x720+6090-0x1ed9),(0xfba+3045-0x1b8d)]],
"\x7a\x37\x30\x38\x65\x62\x36\x39\x61\x63\x37"+
"\x3d\x20\x27\x3c\x74\x72\x20\x73\x74\x79\x6c\x65\x3d\x22\x62\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x3a\x20\x27\x20\x2b\x20\x28\x20"
+"\x7a\x64\x31\x65\x61\x34\x36\x33\x31\x35\x65"+
"\x25\x32\x20\x3f\x20\x22\x72\x65\x64\x22\x20\x3a\x20\x22\x79\x65\x6c\x6c\x6f\x77\x22\x29\x20\x2b\x20\x27\x22\x3e\x27\x3b"
,"");

That is the reason minified/obfuscated code often needs to be checked by an admin reviewer.

Github Libraries are not as well-known as Jquery, bootstrap, Angular etc. There are 1000s of them and they regularly change. That is why the unminified version is requested.

More Information: Improving Review Time by Providing Links to Third Party Sources

4 Likes

A simple google search shows how effective this check is. Only chrome appears in results https://www.google.com/search?source=hp&q=site%3Areddit.com%20extension%20malware