Mozilla changes review process for Firefox WebExtensions

Martin Brinkmann
Oct 3, 2017
Updated • Oct 3, 2017
Firefox
|
30

Mozilla will switch the manual review process to an automated process for WebExtension submissions to the official Mozilla Add-ons website (Mozilla AMO).

Developers who submitted a browser add-on for Firefox up until now had to go through a sometimes lengthy review process before their new add-ons or add-on updates would become available on Mozilla AMO.

Mozilla reviewed any add-on manually that developers submitted to the store. This meant better vetting of browser extensions, and a lower risk that malicious or otherwise problematic add-ons would land on Mozilla AMO.

mozilla firefox review

The downside to the review process was that reviews would sometimes take weeks before they were done. Not good from a developer point of view, especially if the release or update was time critical, for instance when it fixed issues that crept up in new versions of Firefox, or fixed major issues in the add-on.

The extra vetting of extensions was a distinct advantage over Chrome's automated processes, the longer review time a distinct disadvantage.

Mozilla enabled a system for Firefox recently that automates the previously manual review process. It does not mean that add-ons won't be reviewed manually anymore though.

Add-ons built on the WebExtensions API will now be automatically reviewed. This means we will publish add-ons shortly after uploading. Human reviewers will look at these pre-approved add-ons, prioritized on various risk factors that are calculated from the add-on’s codebase and other metadata.

The new process checks extensions that get uploaded by developers automatically similar to how extensions are checked for Google Chrome.

Manual reviewers will still review extensions, but they will do so after the extensions are already live on Mozilla AMO. Add-on reviews are prioritized based on risk factors and other data, and add-ons may be pulled from AMO if they fail manual reviews.

Issues that arise during review can still lead to rejection of a version or a whole listing.

In short: Firefox extensions have to pass automatic checks when they are uploaded by their developers. If they do pass those checks, they are made available on Mozilla AMO. Mozilla will review all add-ons just like before, but after the making available on the official site.

Closing Words

The change benefits developers, as it reduces the time between uploading an extension to Mozilla's servers and it becoming available to Firefox users.

The downside is that it increases the chance that extensions may become available that are problematic in one way or the other. Google for instance has to remove malicious or privacy invasive extensions that slipped past the company's automated review process regularly from the Chrome web store.

Summary
Mozilla changes review process for Firefox WebExtensions
Article Name
Mozilla changes review process for Firefox WebExtensions
Description
Mozilla will switch the manual review process to an automated process for WebExtension submissions to the official Mozilla Add-ons website (Mozilla AMO).
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. tozzedd said on November 19, 2017 at 4:37 pm
    Reply

    i’ve posted a bug requesting an option to allow user control over this:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1418779

  2. Anonymouse said on October 4, 2017 at 12:46 pm
    Reply

    Martin,

    Is Pale Moon news categorized with Firefox tag?

    1. Martin Brinkmann said on October 4, 2017 at 1:39 pm
      Reply

      No, it has its own tag.

  3. Anonymouse said on October 4, 2017 at 8:59 am
    Reply

    Martin, why do you remove Pale Moon and Firefox links on the website sidebar?

    I think it should be interesting spotlight because these two browsers, the original browser and the fork, could be contrasted each other, like Yin & Yang. One towards the newer technology versus the other that maintain older technology, although I know that using newer technology isn’t always a good thing.

    1. Martin Brinkmann said on October 4, 2017 at 9:55 am
      Reply

      I only publish article updates there, not software updates. When a minor update is released, I will re-add them.

      1. Anonymouse said on October 4, 2017 at 10:10 am
        Reply

        Do you update it for Opera too?

        AFAIK, I never saw Opera update there.

      2. Martin Brinkmann said on October 4, 2017 at 10:13 am
        Reply

        I only review main releases when it comes to Opera similarly to how I handle Chrome, if I report on Chrome releases at all.

  4. Anonymous said on October 3, 2017 at 6:14 pm
    Reply

    Extensions that have been reviewed via both automated process (step 1) & manual process (step 2) can have a verification mark like verified social media accounts do, while extensions that have only completed step 1 so far can still be available online for users but without a tick mark.

  5. Anonymous said on October 3, 2017 at 2:11 pm
    Reply

    This will help stuffing AMO’s repository because there will be a surge of new add-ons in the coming months.

    I can accept that, and security won’t be hurt under two conditions:

    – New add-ons to be installed are marked as not manually reviewed with for instance a yellow button, like it was done in the past

    – A user can ensure that updates to already installed add-ons are only installed after they have been manually reviewed

    We lack detail to see what will be taking place.

    1. Anonymous said on October 3, 2017 at 6:47 pm
      Reply
      1. Anonymous said on October 4, 2017 at 2:34 pm
        Reply

        Yeah it started already, but I doubt it has peaked yet. Probably if we could get data since January 2017 we would see that the rise started much earlier than last month. Nice use of RSS feed statistics by the way. I wonder if you can do the same with Feedbro, which I tend to favor because it works without an online service.

  6. Steve said on October 3, 2017 at 1:59 pm
    Reply

    Another difference between extensions approval between Firefox and Chrome has been that updates to the originally-approved extensions have also been vetted by Mozilla, while not so with Chrome. Providing a safe extension for initial review and reserving the malicious code for the update has been a common tactic in the past. Do we know if this new Mozilla process will also cover extension updates? If so, then Firefox extensions remain significantly safer than Chrome’s.

  7. Ben said on October 3, 2017 at 1:44 pm
    Reply

    > The new process checks extensions that get uploaded by developers automatically similar to how extensions are checked for Google Chrome.

    Oh, ChromeStore extensions are checked for malicious behavior? Would not have expected that.

  8. ShintoPlasm said on October 3, 2017 at 7:55 am
    Reply

    So what exactly *is* the difference between using FF and Chrome/Opera now?

    1. Bobby Phoenix said on October 3, 2017 at 2:36 pm
      Reply

      The biggest difference for me is the rendering engine. Firefox uses it’s own. Chrome, and all other main browsers like Opera, Vivaldi, etc all use Blink. This is my number one reason. I like how Firefox renders better than any other browser. Sure it may be minimal, and the average user won’t notice, but I do.

      1. Anonymous said on October 4, 2017 at 2:49 pm
        Reply

        Here’s some illustration of what anon said:

        Pics:
        http://screenshotcomparison.com/comparison/115757
        (mouse over: Firefox rendering, mouse out: Chrome rendering)

        Text:
        http://i.imgur.com/3H1lGVg.png (Left: Chrome, right: Firefox)
        http://i.imgur.com/QBbEvha.png (Up: Chrome, down: Firefox)

        It’s not always obvious with text. For instance with high DPI (smartphones) it probably won’t be visible. And the terribleness of second screenshot is probably an extreme scenario. Like pics, the improvement is difficult to perceive consciously but it can be FELT. The pics advantage become striking when pics are overlapped like in the link I gave.

      2. Anonymous said on October 3, 2017 at 8:20 pm
        Reply

        Exactly. And I thought I was the only one…

        Overall, Firefox renders the page better than any Chromium based browser because of his good font rendering and sharp image scaling. Nothing else compares (well, of course, we are living in a quasi monopoly with Gecko x Blink, so there’s almost nothing to compare).

        Chromium based browser just render pages like shit, the fonts are fuzzy and the resized images are blurred as hell. The final result is a mess and it gets worse if you use global zoom, which blurs even more.

        Technically, Firefox still has some problems like high CPU usage and some memory leaks, but I can live with that. A pretty rendered page matters a lot.

    2. Anonymous said on October 3, 2017 at 2:12 pm
      Reply

      Chrome doesn’t have manual reviews whatsoever as far as I know. Firefox still does.

    3. AnorKnee Merce said on October 3, 2017 at 12:49 pm
      Reply

      Firefox 57 = a clone of Chrome
      = lack of customization by users and developers = removal of freedom of choice.

      Might as well use Chrome.?

      1. Rick A. said on October 7, 2017 at 4:04 am
        Reply

        @AnorKnee Merce – “Might as well use Chrome.?” – Nah, not me. You can use that trash.

      2. Gary D said on October 3, 2017 at 3:02 pm
        Reply

        AnorKnee Merce

        Haven’t you heard of prefs.js and Ghacks user.js. in FF ? Type user.js in Ghacks search box at top right of page. Users can set up hundreds of configurable options, including privacy.

        Nothing equivalent is available in Chrome.

        Every time Mozilla releases a new feature for FF, all the moaners leave negative comments. EG:
        “Chrome clone” “Slow” ” AMO will be full of malware” “lack of features” , etc, etc.

        Search the web for all the Chrome add ons which have been corrupted with malware.

        Alternatively, use FF52 ESR ! In FF52, you can install all the Legacy add ons you want.

        Otherwise, use another browser. There’s plenty of choice !

      3. Bobby Phoenix said on October 3, 2017 at 2:38 pm
        Reply

        You will still be able to customize way more than any other browser even after 57 hits. https://github.com/Aris-t2/ClassicThemeRestorer/issues/365

    4. krtwnrke said on October 3, 2017 at 9:26 am
      Reply

      FF and Opera have sidebar API, Firefox’ll have “hide tab bar API”. Opera have Turbo mode (built-in proxy that can compress traffic). Firefox eats less PC resources. Chrome’re more stable with multi-processing. Firefox has more convenient Dev Tools for CSS and HTML. Chrome dev tools more are convenient for JavaScript.

  9. nonqu said on October 3, 2017 at 7:17 am
    Reply

    And this has already resulted in cryptocurrency miners being added to extensions hosted on AMO:
    https://www.reddit.com/r/firefox/comments/737kze/mining_codes_been_discovered_in_two_reviewed/dno8boj/

    1. Yupie said on October 3, 2017 at 2:52 pm
      Reply

      lol really fast. Martin please highlight this comment

  10. Tony said on October 3, 2017 at 7:16 am
    Reply

    Will there be a mechanism in place for Firefox users to learn if they have an extension installed that has been pulled from AMO due to malware or other concerns?

  11. mozi said on October 3, 2017 at 6:15 am
    Reply

    They can just make priority review, if an addon really need fast review process, the author can tick an option to ask for priority. To prevent abuse, the reviewer then will see if it indeed need priority or not. If not, the addon can be banned to ask for priority again for certain amount of time.

    Everyone should know the reason why there are so many malwares on Google Play compared to Apple Store. Mozilla doesn’t even pay those reviewers but they don’t even want to make a decent review system.

    Many people are still trying to deny it but this confirmed that Mozilla really want to follow Google principle.
    Expect more malwares later on AMO.

    1. Ayy said on October 3, 2017 at 6:40 am
      Reply

      >Expect more malwares later on AMO.
      indeed, troubling times for FF addons. I hope somebody forks the AMO and only allows manual verification of addons. I don’t care if it “takes weeks” for a mere hour of looking at code, I’d rather have somebody looking at it.

      at this point I may as well just stop using AMO entirely and only check github for addons because at least then you know what you’re getting.

      1. Harushi said on October 3, 2017 at 7:05 am
        Reply

        “I hope somebody forks the AMO and only allows manual verification of addons”
        And you will pay for them?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.