Extension review wait times are about to get much shorter

Sep 21 2017

One the of the main advantages of the new WebExtensions API is that it is less likely to cause security or stability problems for users. This means we can review these add-ons faster, and we have adapted our review flow accordingly. For the past few months we have reduced review wait times for add-ons written using the WebExtensions API. Today we’re taking another big step in that direction.

Add-ons built on the WebExtensions API will now be automatically reviewed. This means we will publish add-ons shortly after uploading. Human reviewers will look at these pre-approved add-ons, prioritized on various risk factors that are calculated from the add-on’s codebase and other metadata. This change is now live, and we plan to continue augmenting it in the coming months.

These changes give developers a much improved upload and publishing experience, but also comes with more responsibility on their end. Issues that arise during review can still lead to rejection of a version or a whole listing. This will now happen after publication, rather than before. We’re in the process of editing a new Review Policy that will make the rules, exceptions, and consequences clearer for everyone.

Tags: add-on reviews, developers, policy, webextensions

Categories: developers, policy, webextensions

29 responses

1. Juraj Mäsiar wrote on September 21, 2017 at 12:22 pm:

   I’m so happy to hear that
   My add-on was just approved so it seems to work nicely
   Great work!

2. K3N wrote on September 21, 2017 at 6:08 pm:

   This is good news, and a smart move. Good job!

3. Chuck Baker wrote on September 21, 2017 at 6:20 pm:

   Could it also be that there are now *FAR* less add-ons to review?

   1. Igor wrote on September 22, 2017 at 2:32 am:

      Hi Chuck.
      I want to thank you for FEBE. It was great addon. Do you think that such functionality will be possible in future in FireFox? Are you gonna do something similar? Sorry for off-topic.

      1. Chuck Baker wrote on September 22, 2017 at 2:26 pm:

         WebExtension APIs do not allow for file I/O (reading/writing to disk) which a backup program would obviously require. FEBE also required unfettered access to user data such as bookmarks, usernames/passwords, browser history, etc. Current WebExtension APIs do not allow this and I’m fairly certain no future APIs would ever allow it.

         1. Damien Cassou wrote on September 23, 2017 at 1:18 am:

            That’s what native messaging is for: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Native_messaging. My ‘passwe’ add-on reads file from the file-system and calls native gnupg binary.

   2. Jorge Villalobos wrote on September 22, 2017 at 7:28 am:

      No, add-on submissions have increased in the past few months. Partly due to developers porting Chrome add-ons, and partly because of developers making the migration to the new APIs. Fortunately add-ons using WebExtensions are easier to review, so the reviewer team has been able to keep wait times somewhat stable.

      1. Kees wrote on September 22, 2017 at 1:11 pm:

         Is there any informatie/update about the top 10-25 add-ons (minus obvious legacy ones like Firebug), which are already available/in the process of almost being completely compatible with WebExtensions?

         As I already have indicated earlier the main effort should go into these add-ons (where on the Mozilla side the WebExtension API’s should be made/made available and on the add-on developer site the effort should be in porting thec functionality over).

         Please note that most of these add-ons are popular for a reason, so their functionality should remain available…

         Could somebody on the Mozilla side give us an overview of what is ready, and when not: When can we expect the functionality in WebExtensions.

         Also a question: Some of the most disruptive innovations in add-ons were due to the fact that add-on developers could do almost anything via XPCOM – how would we get these kind of disruptions now that add-on developers are limited due to the rigid API provided by WebExtensions?

4. Harry Lockhart wrote on September 22, 2017 at 5:41 am:

   Won’t you encounter the same issues that Chrome Store has with extensions being auto-updated with malware ? Automated review and validation is very dangerous.

   1. Damien Cassou wrote on September 23, 2017 at 1:20 am:

      I’m also a bit frightened. What is Mozilla going to do with already installed add-ons that don’t pass the review process?

5. Trishul wrote on September 22, 2017 at 9:32 am:

   This is awesome, much awaited
   More power to developers

6. Semiramis wrote on September 22, 2017 at 12:10 pm:

   That will just reduce the gap between Firefox and Chrome regarding add-on safety.

   Manual reviews are the key point that protects Firefox from scandals that keep hitting Chrome (two more just this week). Not all add-ons will now be reviewed, and those that will be won’t get it right away, which is breaks my trust in updating add-ons blindly.

   Also, will there be any indication on the AMO page that an add-on version has been manually reviewed ?

   Sigh. It’s useless to implement crazy sandboxing security if add-ons can randomly start stealing data and spy on users. Just wait for genuine add-on developers to become less active and have their account stolen and their add-on discreetly tweaked, and nobody noticing it for a random period of time. Just wait for add-on developers to sell their thing to a greedy company that will push whatever they want. Just wait for regular developers to simply start allowing themselves more snooping, now that Mozilla doesn’t really enforce that their code respects the client side part of their privacy policy.

   Now I’ll have to be weary about add-ons and add-on updates, just when I was looking forward to installing more of them now that, as WebExtensions, I’m more assured that they can’t conflict with one another.

7. Nina So wrote on September 22, 2017 at 6:05 pm:

   Reading this comment section, it gave me the impression that Mozilla prioritizes extensions ported from Chrome rather than the already TOP and MOST USED extensions used in Firefox.

   If that isn’t a form of being deaf or being blind to the needs of Firefox’s most loyal users, I don’t know what else is. The new framework just doesn’t cut it (or at least not yet, though signs point that it never will) for the kind of extensions that Firefox users have grown up with and has integrated in their browsing habits.

   It’s kinda tragic Mozilla has to go to this point.

8. Ivy Wintaka wrote on September 22, 2017 at 6:10 pm:

   Regarding the new review process, I have my skepticism. Just because the new extensions framework is weaker in what it can do compared to the current one doesn’t mean that the new ones can’t be made to do something bad.

   After all, even Chrome Web Store sometimes doesn’t detect a malicious extension. Also, while those extensions might not do much harm in terms of what strong malware such ransomware can, it can still wreck havoc in our online accounts among other things.

9. Salar wrote on September 24, 2017 at 12:05 am:

   Finally! I don’t have to wait 3 weeks for approval no more

10. Anonymous wrote on September 26, 2017 at 3:33 am:

    To mitigate risk WebExtensions are being moved into a separate process with tighter sandbox. What about Tier3 platforms that lack sandboxing? Would AMO have an option to filter out auto-reviewed ones?

    I wonder if the decision may cause Firefox 57+ pushback from security conscious users on Solaris, BSD, etc.

11. Alex wrote on September 27, 2017 at 9:33 am:

    Do you have any plans on public API that allows to deploy and publish addons like Chrome Store has?

    1. Jorge Villalobos wrote on September 27, 2017 at 10:33 am:

       We have a public API that is currently limited to unlisted versions. We will expand that to listed versions in the future. It will probably have to wait until next year, though.

12. nobody important wrote on September 27, 2017 at 1:47 pm:

    … crazy – you still don´t get it Mozilla. The only reason to still use Firefox is to use the AddOns you are now abandoning. Are you really all brainwashed? You are ignoring all of your users since years – time to vanish. …

    1. Denis wrote on October 8, 2017 at 8:02 am:

       Looks like they decided to destroy Firefox. Their comments looks like they don`t care what uses think about loosing legacy addons. Almost all my addons will be disabled. I will not update to 57 and I don`t sure I should continue using Firefox at all after such things.

13. StopCopyingChrome wrote on September 30, 2017 at 8:55 am:

    Bitcoin miners have started to appear in automaticaly reviewed addons: https://www.reddit.com/r/firefox/comments/737kze/mining_codes_been_discovered_in_two_reviewed/

    1. Jorge Villalobos wrote on October 2, 2017 at 10:50 am:

       The issue with coin miners is more about it begin a new thing (for Firefox add-ons) and us not having a clear policy for them. We’re still figuring that out, but we’ve disabled the affected add-ons for now.

14. Nodetics wrote on October 7, 2017 at 3:22 am:

    Thank you Jorge Villalobos & rest of the team for implementing these shorter review times! It has been a life saver especially since there are some subtle but significant differences between Chrome and Firefox. Being able to submit new versions in a couple of minutes is excellent.

    THANK YOU!

    Our first Firefox ported extension is here (and improving every day!):
    https://addons.mozilla.org/en-US/firefox/addon/feedbroreader/

15. Irvin Chen wrote on October 8, 2017 at 3:30 am:

    I’d bring my concern over auto-approval add-on to Discourse for Mozillians to discuss
    https://discourse.mozilla.org/t/concern-about-how-add-on-automatic-reviewing-can-hurt-users-trust-to-firefox/20177

16. lmacri wrote on October 10, 2017 at 6:43 am:

    From Catalin Cimpanu’s 10-Oct-2017 bleeepingcomputer article Over 37,000 Chrome Users Installed a Fake AdBlock Plus Extension at https://www.bleepingcomputer.com/news/security/over-37-000-chrome-users-installed-a-fake-adblock-plus-extension/ : “Situations like this happen because the process of uploading extensions on the Chrome Web Store is automated and Google employees only intervene when the extension is reported.”

    One of the reasons I’ve stayed with Firefox is their thorough review process of extensions – frustrating for developers, perhaps, but an important extra layer of protection appreciated by most users. I just hope Mozilla’s automated review process will be able to catch these fake extensions that keep popping up on the Google Chrome Store.

17. Nguyen Viet wrote on October 11, 2017 at 7:54 am:

    How much average time from when an addon submited to get any reply (approved or rejected)? I’m a new web extension addon developer

    1. Jorge Villalobos wrote on October 11, 2017 at 12:58 pm:

       We don’t track the average time, but the automatic approval is less than a day.

       1. Nguyen VIet wrote on October 13, 2017 at 8:19 pm:

          Thank you, i see my extension have been approved :D, but i can not access it on addons.mozilla.org. Did i miss something

          1. Jorge Villalobos wrote on October 16, 2017 at 8:46 am:

             You can ask on the forum, with more details.