Addon version submitted 1 month ago and still waiting in queue

Add-ons addons.mozilla.org
#1

Hello,

I submitted a new version of my addon exactly one month ago and it is still waiting to be reviewed.
The addon is:
https://addons.mozilla.org/fr/firefox/addon/rendement-locatif/

Can someone please have a look at it ?
Previously (before webextension I guess), it used to take 1 to 3 days max, what’s happening ?

Thanks

#2

The addon is in admin review queue due to the minified code. They can take longer to review.

I am not an admin reviewer, however, your addon will be rejected. I am going to email you a few issues that would be better to fix, and then upload a new version.

Here are the above mentioned issues:

  1. Your custom CSP allows remote-script injection which is not allowed.

  2. Your add-on includes a JavaScript library file that doesn’t match any versions known to us. We require all add-ons to use unmodified release versions.

We accept JQuery/JQuery-UI libraries downloaded from ‘ajax.googleapis.com’, ‘jquery.com’ or ‘jqueryui.com’; and used without any modification. Minified versions are better. (file-name change does not matter)
I’m sorry, but we cannot accept modified, re-configured or customized libraries.
e.g.:
jquery.min.js

  1. Add-on contains duplicate/hidden/unused/unnecessary files or folders. These complicate the review process and may contain sensitive information about the system you created the XPI on. Such files may also create cause for rejection. Please correct your packaging process so that these files aren’t included.
    e.g.:
    __MACOSX … and its content

  2. Your add-on’s code includes instances of printing debugging information to the Console, which is generally not allowed in production add-ons. Please remove or disable such logging.

  3. We don’t allow add-ons to use remote scripts because they can create serious security vulnerabilities. We also need to review all add-on code, and this makes it much more difficult. Please insert those scripts locally from your add-on code.
    eg:
    tracks.js

  4. We do not allow the Google Analytics script to be included in the extension, you need to use a content iframe to include GA.
    Further information: https://blog.mozilla.org/addons/2016/05/31/using-google-analytics-in-extensions/
    Using Google Analytics in an add-on, requires disclosure in both the add-on description and the Privacy Policy.

#3

The full source code is also provided as instructed.
It would have been great is the issues were raised faster, I hope I won’t wait one more month for the next reviewers comments.

I’m pretty sure I know what the issues will be. The problem is that now that Firefox supports webextension I just ported the code I use already in Chrome so to reduce coding time of course. The old code was thus abandonned.

But Firefox is far more restrictive compared to Chrome. So in the end I feel like I will still have to rewrite lots of things.

#4
  1. i’ll check that, I will need more details though
  2. the library is jquery, unmodified.
  3. does this really matter ??
  4. Only in dev mode. The submitted addon is in production mode so nothing is printed in the console. It is already disabled.
  5. The addon does not use analytics it’s commented in the code.
#5

I’ve fixed most issues in the last submitted version. I didn’t minify this time and I removed the content-policy field in the manifest which was not really used so to reduce review times.
I’m not sure about 1), I’ll need more details from a reviewer.

#6

  1. … still there

  2. if it has extra line breaks etc it will fail the hash checksum. It is best to use unmodified. The included one, fails the checksum. The new JQuery is fine in Version 1.7.9.1

  3. That is not a cause for rejection but it should be removed.

  4. Console logging does not normally cause a rejection but it should be controlled. I haven’t checked it all but for example:

    statusCode: {
    404: function(response) {
    console.log(‘404’);
    }

  5. tracks.js is there. If it is not used by the addon, it should not be included. Please note the number 3:

The unminifed code will help get the addon reviewed faster … BUT … you have to ask admin (on IRC for example) to move your addon to normal queue. Once addon is in admin queue, it will stay there unless admin manually move.

I have not checked background.js
The rest of the issues are still there and will cause a rejection.

#7

What is a custom CSP ?

#8

New version :

  1. I removed the “content_security_policy” completely from the manifest as it was not used.
  2. fixed
  3. fixed
  4. fixed
  5. fixed
#9

Lucky you. I am in waiting queue for 3 months.

#10

Final version submitted with remote data escaped for security reasons. Can someone check ? How can I ask to move my addon to normal queue ?

#11

There it is … try IRC #addon-reveiwers

#12

Whats your addon @c2covh?

#13

Sorry I’m not used to IRC. Can someone just review the last version of the addon ? It should be all fine now. Thanks !