Mozilla changes review process for Firefox WebExtensions
Mozilla will switch the manual review process to an automated process for WebExtension submissions to the official Mozilla Add-ons website (Mozilla AMO).
Developers who submitted a browser add-on for Firefox up until now had to go through a sometimes lengthy review process before their new add-ons or add-on updates would become available on Mozilla AMO.
Mozilla reviewed any add-on manually that developers submitted to the store. This meant better vetting of browser extensions, and a lower risk that malicious or otherwise problematic add-ons would land on Mozilla AMO.
The downside to the review process was that reviews would sometimes take weeks before they were done. Not good from a developer point of view, especially if the release or update was time critical, for instance when it fixed issues that crept up in new versions of Firefox, or fixed major issues in the add-on.
The extra vetting of extensions was a distinct advantage over Chrome's automated processes, the longer review time a distinct disadvantage.
Mozilla enabled a system for Firefox recently that automates the previously manual review process. It does not mean that add-ons won't be reviewed manually anymore though.
Add-ons built on the WebExtensions API will now be automatically reviewed. This means we will publish add-ons shortly after uploading. Human reviewers will look at these pre-approved add-ons, prioritized on various risk factors that are calculated from the add-on’s codebase and other metadata.
The new process checks extensions that get uploaded by developers automatically similar to how extensions are checked for Google Chrome.
Manual reviewers will still review extensions, but they will do so after the extensions are already live on Mozilla AMO. Add-on reviews are prioritized based on risk factors and other data, and add-ons may be pulled from AMO if they fail manual reviews.
Issues that arise during review can still lead to rejection of a version or a whole listing.
In short: Firefox extensions have to pass automatic checks when they are uploaded by their developers. If they do pass those checks, they are made available on Mozilla AMO. Mozilla will review all add-ons just like before, but after the making available on the official site.
Closing Words
The change benefits developers, as it reduces the time between uploading an extension to Mozilla's servers and it becoming available to Firefox users.
The downside is that it increases the chance that extensions may become available that are problematic in one way or the other. Google for instance has to remove malicious or privacy invasive extensions that slipped past the company's automated review process regularly from the Chrome web store.
i’ve posted a bug requesting an option to allow user control over this:
https://bugzilla.mozilla.org/show_bug.cgi?id=1418779
Martin,
Is Pale Moon news categorized with Firefox tag?
No, it has its own tag.
Martin, why do you remove Pale Moon and Firefox links on the website sidebar?
I think it should be interesting spotlight because these two browsers, the original browser and the fork, could be contrasted each other, like Yin & Yang. One towards the newer technology versus the other that maintain older technology, although I know that using newer technology isn’t always a good thing.
I only publish article updates there, not software updates. When a minor update is released, I will re-add them.
Do you update it for Opera too?
AFAIK, I never saw Opera update there.
I only review main releases when it comes to Opera similarly to how I handle Chrome, if I report on Chrome releases at all.
Extensions that have been reviewed via both automated process (step 1) & manual process (step 2) can have a verification mark like verified social media accounts do, while extensions that have only completed step 1 so far can still be available online for users but without a tick mark.
This will help stuffing AMO’s repository because there will be a surge of new add-ons in the coming months.
I can accept that, and security won’t be hurt under two conditions:
– New add-ons to be installed are marked as not manually reviewed with for instance a yellow button, like it was done in the past
– A user can ensure that updates to already installed add-ons are only installed after they have been manually reviewed
We lack detail to see what will be taking place.
Newly crated extensions, daily, last month, by InoReader statistics from AMO RSS feed https://addons.mozilla.org/en-US/firefox/extensions/format:rss?sort=created
https://screenshots.firefox.com/y6jbgGfhZFKaBE4U/www.inoreader.com
Yeah it started already, but I doubt it has peaked yet. Probably if we could get data since January 2017 we would see that the rise started much earlier than last month. Nice use of RSS feed statistics by the way. I wonder if you can do the same with Feedbro, which I tend to favor because it works without an online service.
Another difference between extensions approval between Firefox and Chrome has been that updates to the originally-approved extensions have also been vetted by Mozilla, while not so with Chrome. Providing a safe extension for initial review and reserving the malicious code for the update has been a common tactic in the past. Do we know if this new Mozilla process will also cover extension updates? If so, then Firefox extensions remain significantly safer than Chrome’s.
> The new process checks extensions that get uploaded by developers automatically similar to how extensions are checked for Google Chrome.
Oh, ChromeStore extensions are checked for malicious behavior? Would not have expected that.
So what exactly *is* the difference between using FF and Chrome/Opera now?
The biggest difference for me is the rendering engine. Firefox uses it’s own. Chrome, and all other main browsers like Opera, Vivaldi, etc all use Blink. This is my number one reason. I like how Firefox renders better than any other browser. Sure it may be minimal, and the average user won’t notice, but I do.
Here’s some illustration of what anon said:
Pics:
http://screenshotcomparison.com/comparison/115757
(mouse over: Firefox rendering, mouse out: Chrome rendering)
Text:
http://i.imgur.com/3H1lGVg.png (Left: Chrome, right: Firefox)
http://i.imgur.com/QBbEvha.png (Up: Chrome, down: Firefox)
It’s not always obvious with text. For instance with high DPI (smartphones) it probably won’t be visible. And the terribleness of second screenshot is probably an extreme scenario. Like pics, the improvement is difficult to perceive consciously but it can be FELT. The pics advantage become striking when pics are overlapped like in the link I gave.
Exactly. And I thought I was the only one…
Overall, Firefox renders the page better than any Chromium based browser because of his good font rendering and sharp image scaling. Nothing else compares (well, of course, we are living in a quasi monopoly with Gecko x Blink, so there’s almost nothing to compare).
Chromium based browser just render pages like shit, the fonts are fuzzy and the resized images are blurred as hell. The final result is a mess and it gets worse if you use global zoom, which blurs even more.
Technically, Firefox still has some problems like high CPU usage and some memory leaks, but I can live with that. A pretty rendered page matters a lot.
Chrome doesn’t have manual reviews whatsoever as far as I know. Firefox still does.
Firefox 57 = a clone of Chrome
= lack of customization by users and developers = removal of freedom of choice.
Might as well use Chrome.?
@AnorKnee Merce – “Might as well use Chrome.?” – Nah, not me. You can use that trash.
AnorKnee Merce
Haven’t you heard of prefs.js and Ghacks user.js. in FF ? Type user.js in Ghacks search box at top right of page. Users can set up hundreds of configurable options, including privacy.
Nothing equivalent is available in Chrome.
Every time Mozilla releases a new feature for FF, all the moaners leave negative comments. EG:
“Chrome clone” “Slow” ” AMO will be full of malware” “lack of features” , etc, etc.
Search the web for all the Chrome add ons which have been corrupted with malware.
Alternatively, use FF52 ESR ! In FF52, you can install all the Legacy add ons you want.
Otherwise, use another browser. There’s plenty of choice !
You will still be able to customize way more than any other browser even after 57 hits. https://github.com/Aris-t2/ClassicThemeRestorer/issues/365
FF and Opera have sidebar API, Firefox’ll have “hide tab bar API”. Opera have Turbo mode (built-in proxy that can compress traffic). Firefox eats less PC resources. Chrome’re more stable with multi-processing. Firefox has more convenient Dev Tools for CSS and HTML. Chrome dev tools more are convenient for JavaScript.
And this has already resulted in cryptocurrency miners being added to extensions hosted on AMO:
https://www.reddit.com/r/firefox/comments/737kze/mining_codes_been_discovered_in_two_reviewed/dno8boj/
lol really fast. Martin please highlight this comment
Will there be a mechanism in place for Firefox users to learn if they have an extension installed that has been pulled from AMO due to malware or other concerns?
They can just make priority review, if an addon really need fast review process, the author can tick an option to ask for priority. To prevent abuse, the reviewer then will see if it indeed need priority or not. If not, the addon can be banned to ask for priority again for certain amount of time.
Everyone should know the reason why there are so many malwares on Google Play compared to Apple Store. Mozilla doesn’t even pay those reviewers but they don’t even want to make a decent review system.
Many people are still trying to deny it but this confirmed that Mozilla really want to follow Google principle.
Expect more malwares later on AMO.
>Expect more malwares later on AMO.
indeed, troubling times for FF addons. I hope somebody forks the AMO and only allows manual verification of addons. I don’t care if it “takes weeks” for a mere hour of looking at code, I’d rather have somebody looking at it.
at this point I may as well just stop using AMO entirely and only check github for addons because at least then you know what you’re getting.
It has begun lol
https://www.reddit.com/r/firefox/comments/737kze/mining_codes_been_discovered_in_two_reviewed/
“I hope somebody forks the AMO and only allows manual verification of addons”
And you will pay for them?