Add-on Policy and Process Updates

Caitlin Neiman

34 responses

As part of our ongoing work to make add-ons safer for Firefox users, we are updating our Add-on Policy to help us respond faster to reports of malicious extensions. The following is a summary of the changes, which will go into effect on June 10, 2019.

  • We will no longer accept extensions that contain obfuscated code. We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included. If your extension is using obfuscated code, it is essential to submit a new version by June 10th that removes it to avoid having it rejected or blocked.

We will also be clarifying our blocking process. Add-on or extension blocking (sometimes referred to as “blocklisting”), is a method for disabling extensions or other third-party software that has already been installed by Firefox users.

  • We will be blocking extensions more proactively if they are found to be in violation of our policies. We will be casting a wider net, and will err on the side of user security when determining whether or not to block.
  • We will continue to block extensions for intentionally violating our policies, critical security vulnerabilities, and will also act on extensions compromising user privacy or circumventing user consent or control.

You can preview the policy and blocking process documents and ensure your extensions abide by them to avoid any disruption. If you have questions about these updated policies or would like to provide feedback, please post to this forum thread.

 

May 4, 2019 9:09 AM PST update: A certificate expired yesterday and has caused add-ons to stop working or fail to install. This is unrelated to the policy changes. We will be providing updates about the certificate issue in other posts on this blog.

9:55 am PST: Because a lot of comments on this post are related to the certificate issue, we are temporarily turning off comments for this post. 

34 responses

  1. Lonke wrote on :

    Amazing stuff!

  2. Chris wrote on :

    How about cracking down on some of the the ridiculous permissions that some apps require?

    1. Bry wrote on :

      How do you know they weren’t already doing it before WITHOUT your permission? If anything, it’s BETTER now that we know what we’ve been missing out on in the past.

  3. mike wrote on :

    I think the most important change would be to actually communicate this – every extension that promises to not send any user data to a remote server needs to get a visible badge that says “no data collection”, so as a user I can install it without having to research whether it is safe.

    1. Vegas wrote on :

      That would actually be pretty awesome, yeah

  4. Mat wrote on :

    Should we be concerned they all disabled a few moments ago and not on June 10th as stated above?

  5. solrize wrote on :

    Hi what the heck happened, firefox just up and disabled adblock+ and won’t reinstall it from the addon site: https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

    also the freenode #firefox channel kicks me to #firefox-unregistered even though I’m on a registered freenode nick, and it won’t let me post to that channel. On irc.mozilla.org I can’t post to #firefox because it says an account is needed, but no indication of how to get one. Someone on channel said using bugzilla account was ok but no indication of how to authenticate to irc with it.

    Stuff is breaking too much! Thanks.

  6. Carol MD wrote on :

    The add-on “Pinky” for The Settlers On-Line has stopped working, and I can not re-install it. I get a message to check my internet connection. That doesn’t make sense.

  7. jr30144 wrote on :

    Great! but all my extensions have stopped working in the last hour and download of new add ons fail

    1. Caitlin Neiman wrote on :

      Hi there! This is due to an expired certificate issue. For more information, please see https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

  8. Victoria Pearson wrote on :

    That’s all well and good, but why did ALL of my extensions get shut off all of a sudden without warning? It doesn’t seem like there is a work around either. I have a Speed Dial extension, go to the settings and it says it’s been shut off and to ‘Find a Replacement.’ I click on ‘Find a Replacement’ and it takes me to a different extension page. Alrighty then, I’ll just download this extension until the other one updates, no problem… I click on ‘Add to Firefox’ and the text that pops up is ‘Download failed. Please check your connection.’ Restart Firefox and try again… I obviously have internet…. again, ‘Download failed. Please check your connection.’ WTF Firefox!!!! I don’t want to use f*cking Chrome……… but I will if I have to….

  9. Victoria Pearson wrote on :

    Apologies about my previous comment Caitlin, I just want to know how to fix this. When will it be fixed, or is it going to take so long that I need to do something like this: https://www.reddit.com/r/firefox/comments/bkfy5k/as_of_1200_am_utc_nearly_all_firefox_extensions/emghlsf/

    Also, I’m kinda lost as to how to do a lot of that, not sure how to get to about:debugging, loading xpi files and so on.

    Again, sorry for my previous message. I love firefox and just want it to go back to where it was. Hope you have a good day.

  10. Gael wrote on :

    How about fixing the current disabled add-ons issue? Mozilla will be abandoned in droves if it’s not done soon.

  11. Nicholas wrote on :

    All of my extensions were blocked !!! I even tried Tor Browser and got one extension blocked as well (NoScript) which is signed!

    One guy said that this happened due to this major change in add-on policy
    https://www.ghacks.net/2019/05/04/your-firefox-extensions-are-all-disabled-thats-a-bug/

    Now i can’t event browse the way i want!

    1. Caitlin Neiman wrote on :

      This was due to an expired certificate and not related to the policy change.

  12. aaa wrote on :

    why are all the addons disabled? wtf?

  13. John wrote on :

    Disconnect, uBlock, Ghostery, Malwarebytes, HTTPS Everywhere, Translate, etc. add ons are all disabled.

  14. tigny wrote on :

    “right now” means 2019/05/04 around 12 AM France time.

  15. Dan wrote on :

    Please allow adblock and adblock plus back. It makes a huge difference when browsing.

  16. Joe wrote on :

    All of my add-ons/extension were disables last night, and now Firefox will not allow me to install any add-ons. I have rebooted, uninstalled and reinstalled firefox, and every time I try to add an add-on to firefox, no matter which one I’m trying to add, I get the same message:
    “Download failed. Please check you connection.”
    My internet connection is just fine, by the way.
    Please help me. I cannot go back to watching ads on youtube or I’ll have to switch browsers and I REALLY don’t want to do that.
    Please help!

  17. Mark wrote on :

    Ad blocking add ins have stopped working and now I get a corrupted file message when I try to download Ghostery. Can I send a screenshit?

  18. MonaLisa wrote on :

    So as a common user of FF and need adblocking, what do you suggest to all of us out here to use as an adblocker now? All of my adblockers have been disabled..what now?

  19. db wrote on :

    Did Firefox mean to disable a bunch of highly popular extensions today? (Sat May 4)

    1. Caitlin Neiman wrote on :

      No, that was unintentional and due to an expired certificate. We’re working on a fix right now.

  20. Steph wrote on :

    And How we can disable this new boring feature ?
    It’is possible using “about:config” ?

  21. Peter Braet wrote on :

    All extentions are blocked! HTTPS Everywhere, NoScript, I don’t care about cookies, AdBlock Plus.
    Read it has something to do with UTC time… Will Mozilla fix this soon? I don’t want to browse without these, so it really has to be Firefox, which I can’t use before this is fixed. Most websites are full of crap without these extensions.

  22. John A. Nonymous wrote on :

    Expiration of a key/certificate should be much less in response than the issuance of a revocation key/certificate.

    Expiration should only result in the inability to sign new objects, but verification of existing objects previously signed by the key/certificate should still be possible. “A document, once signed in ink, does not become void simply because the pen it was signed with runs out of ink at a future date.”

    Revocation is much more serious, completely invalidating the key/certificate and all actions performed by it, regardless of when. “All documents signed by John Doe are to be considered null and void, as Mr. Doe’s authority to sign those documents was fraudulent.”

    The actions taken by Firefox this weekend matched those of a revocation while the reason given was a simple expiration. This appears to be a shockingly bad error in design or implementation. Lessons learned, one hopes.

  23. Alex wrote on :

    Hello Caitlin. Can I ask for more clarification on what exactly is going to be considered “obfuscation” here?

    According to Wikipedia, https://en.wikipedia.org/wiki/Obfuscation_(software) , obfuscation is the deliberate act of creating source or machine code that is difficult for humans to understand.

    This page, https://www.preemptive.com/obfuscation , lists:

    1. Rename Obfuscation – but you do allow minification so this is okay as long as the unminified code is included?

    2. String Encryption – what if a server sends encrypted or compressed data that needs to be decrypted before it can be used?

    3. Control Flow Obfuscation – ok, got it that this is not allowed

    4. Instruction Pattern Transformation – ok

    5. Dummy Code Insertion – ok, yes, likely nefarious

    6. Unused Code and Metadata Removal – Debloating comments, asserts, console logging and other non-functional code is allowed? But yes, comments do make the code more understandable.

    7. Binary Linking / Merging – not really applicable to javascript but the policy does say that we can combine files

    8. Opaque Prediction Insertion – ok, possibly useful for nefarious means

    9. Anti-Tamper – probably not the point of the policy

    10. Anti-Debug – ok

    I wasn’t going to throw the spotlight on myself but my extension does #1, #2, #6 and #7.

    If you view the released source code, it is not human readable, all variables are max of 2 characters as well as all function names because of #1 (renaming).

    My competitor (533k installs on Firefox and 10M installs on Chrome) doesn’t do this so much and, for example, their content script is 159x the size of mine, does less and has no way to run on mobile. In fact, most popular complaint is that their extension slows down the browser or eats all your memory and I would bet that code size plays some part in that.

    Please clarify, and if you can please confirm that #1 (renaming), #2 (re: using encrypted data) and #6 (debloating) are allowed in these limited contexts.

    1. Hikaru S wrote on :

      How Can I know that if my add-on violates or not to new policy?

      1. Philipp Kewisch wrote on :

        Hi Hikaru. It is best if you read our policies and see if you are violating any of the items. As for obfuscation, if you have used a tool to obfuscate your code then you will know your add-on violates the policy. There may be a few other situations, we’d let you know via the review tools if we come across obfuscation we are worried about.

        1. Hikaru S wrote on :

          Hi Philipp,

          Thank you for your reply, I almost believe that my add-on is not violating to new Policy, but I need to be convinced that my add-on wont violates to that, because that add-on is used by my team for our business.
          Can I get any tools for checking if the add-on is OK or not? like, uploading my code to Mozilla add-on center or something?

    2. Philipp Kewisch wrote on :

      Hi Alex,

      thanks for the run down, I’m happy to go through these:

      1) While this may be obfuscating in the sense that it is less readable, we consider this minification instead. This is allowed.

      2) This depends on the situation. Such techniques are often used by malicious actors to introduce obfuscated code. What we won’t allow is encrypted/compressed server side data that obscures the logic of the add-on functionality. If it is clear what is being done with the encrypted data (e.g. decrypt and safely display), this is ok.

      6) This is fine, removing comments is ok. We can’t actually trust that the comments are correct, so this isn’t information we rely on when reviewing add-ons.

      7) Concatenating and Transpiling code is ok, as long as sources are submitted.

      I hope this helps clarify. We’ve also described this in some detail at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Source_Code_Submission#Use_of_obfuscated_code . If you could give that a look and let us know if there is anything that wasn’t clear from those docs that would be great, this way we can improve our documentation going forward.

  24. kjemmo wrote on :

    “We will no longer accept extensions that contain obfuscated code.”

    Does this go for unlisted add ons as well?

    I have a commercial add on that users pay for. With no obfuscation I would be giving the source code away and have a cracked version out in no time. In short 5 years of work will be lost. Any thoughts on that?

    1. Philipp Kewisch wrote on :

      This goes for self-hosted add-ons as well, yes. Code obfuscation is not impossible to reverse engineer. In fact, there are numerous tools on the web that make it fairly simple to deobfuscate code generated by most of the known tools. If static deobfuscation doesn’t work, the code can also be dynamically deobfuscated during runtime.

      While this may not be very comforting, I do hope that your add-on won’t have a major impact in sales due to this change.