Mozilla Updates Policies: No Longer Accepting Add-Ons With Obfuscated Code

As part of Mozilla's updated add-on policy that goes into effect on June 10, 2019, the Firefox browser maker said that it will no longer accept extensions that contain obfuscated code

"We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included. If your extension is using obfuscated code, it is essential to submit a new version by June 10th that removes it to avoid having it rejected or blocked,” wrote Caitlin Neiman, Add-ons Community Manager at Mozilla, in a blog post.

In software development, obfuscation refers to the practice where developers write software that are difficult for humans to understand.

In some cases, code obfuscation is to conceal the true purpose of the software, thus making it easy for cyber criminals to hide their malicious code. This is what Mozilla really want to avoid.

Minified code on the other hand, refers to the process of removing redundant data and unnecessary white spaces, newlines, comments, formatting, unused codes or shortening variables, without affecting how the resource is processed by the browser.

Code minification is to make the code more efficient, smaller in size, but without altering their functionality or purpose. But minifying can also make the source code not readable. To avoid any hidden malicious purposes, develoeprs need to provide Mozilla with a copy of the human-readable source code.

Mozilla's updated policy aims to address any security concerns that come from those two, as well as to make "add-ons safer for Firefox users.”

"Because add-ons run in an environment with elevated privileges relative to ordinary web pages, they present a very serious set of security considerations. They have the potential to open security holes not only in the add-ons themselves, but also in the browser, in web pages, and, in particularly distressing cases, the entire system the browser is running on," explained Mozilla.

in addition to proactively blocking extensions that are found to be in violation of their policies, Mozilla goes on to also add that it is continuing its attempt to block extensions that are found unsecured, those that compromise users' privacy, has "unexpected" features, and those that circumvent user consent or control.

If ever an extension ever gets blocked for the above reasons, Mozilla explains that the blocking (or blocklisting) could either be a hard or soft block.

A hard block completely disables the add-on with no option for the user to manually re-enable it. A soft block on the other hand, still allows users to override Firefox's block and continue using it.

Firefox Add-ons

Add-ons for Firefox extend the core capabilities of the browser, enabling users to modify and personalize their web experience.

But since developers can create just about any extension they want, Mozilla wants them to follow a healthy ecosystem that is built on trust. So here, it is vital for developers to be successful and users to feel safe making Firefox their own.

For these reasons, Mozilla requires all add-ons to comply with its policies on acceptable practices.

All add-ons are subject to these policies, regardless of how they are distributed.

"Mozilla may attempt to contact the add-on’s developer(s) and provide a reasonable time frame for the problems to be corrected before a block is deployed. If an add-on appears to intentionally violate the policies or its developers have proven unreachable, unresponsive, or uncooperative, or in case of repeat violations, blocking may be immediate."
Published: 
04/05/2019