Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue: Firefox has been disabled (by Mozilla) #167

Open
Ephellon opened this issue Mar 5, 2020 · 6 comments
Open

Issue: Firefox has been disabled (by Mozilla) #167

Ephellon opened this issue Mar 5, 2020 · 6 comments
Assignees
@Ephellon
Labels
cant-fix requests that can't be fixed by the developers (usually user oriented actions) discussion open ended forum to keep some issues down firefox-only requests that involve only the firefox version in-trouble this item is supported, but may be deprecated soon question requests that are questions, rather than informative statements wiki requests that can be added to the Wiki for future users

Comments

@Ephellon
Copy link
Collaborator

Ephellon commented Mar 5, 2020
edited
Loading

Describe the error

Mozilla posted a message (I found out by trying to check the Add-on link) 
This add-on didn't pass review because of the following problems:

1) Extensions defining a content security policy that allows eval ('unsafe-eval') are generally not allowed for security and performance reasons. eval is only necessary in rare cases. Please use a different method or explain why eval is required in your add-on.

2) This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means. Aside from being inefficient, this is a major security risk. For more information, see https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page . Here are some examples that were discovered:
- options.js lines 577, 585, 695

3) We don't allow add-ons to use remote scripts because they can create serious security vulnerabilities. We also need to review all add-on code, and this makes it much more difficult. Please insert those scripts locally from your add-on code.
- plugn.js lines 514, 586, 603

Also, for the next release, please take care of the following:

1) Your add-on includes a third-party library. Please provide the origin of the exact library version you were using and make sure you are using an exact copy of the original maintainers release version. For more information, refer to https://extensionworkshop.com/documentation/publish/third-party-library-usage/ .
- lodash.min.js

To Reproduce

N/A

Estimated location

N/A

Screenshots

image

Extension Information

  • Version: 4.1+
  • Source: store
  • Browser: firefox
  • Operating System: Windows Mac *nix

Additional comments

I've posted a retort, and will keep this thread updated 
Hi. Is there any way I could be notified the add-on has been disabled other than an obscure e-mail?
====
1. Unsafe Eval (CSP)

A) Used in "options.js" and "utils.js" for `function addListener` (:436 and :3455, resp.) because the event listeners get erased creating a copy of a node (I've already tried getting around this other ways, and chose this as the best route)
----
2. Unsafe DOM Node from HTML Strings

B) I'll just continue converting to those to `document.furnish` (see *1)
----
3. Remote scripts

C) All remote scripts are the exact same as the ones provided in the add-on (see *2). They are hosted remotely so that the user doesn't have to constantly update their add-on whenever a supported site changes... I see how the security concerns come into play, but I've already put in blocking features for access to the user's data (see *3). I believe the extension requires this feature

D) I've changed lodash to be the "full" implementation.
====
Notes:
*1) This doesn't help in any way; it's the same data, but with extra padding surrounding it
*2) From the "scripts" and "plugins" folders at https://github.com/webtoplex/webtoplex.github.io/tree/master/web
*3) See issues #88, and #152 at https://github.com/SpaceK33z/web-to-plex/
@Ephellon Ephellon added bug this item causes errors that make the project unusable enhancement this item makes the project better in some way help-wanted outside assistance is recommended for this item firefox-only requests that involve only the firefox version labels Mar 5, 2020
@Ephellon Ephellon self-assigned this Mar 5, 2020
@Ephellon Ephellon added discussion open ended forum to keep some issues down question requests that are questions, rather than informative statements wiki requests that can be added to the Wiki for future users wont-fix requests that are beyond the scope of the project cant-fix requests that can't be fixed by the developers (usually user oriented actions) and removed bug this item causes errors that make the project unusable enhancement this item makes the project better in some way help-wanted outside assistance is recommended for this item wont-fix requests that are beyond the scope of the project labels Mar 5, 2020
@Ephellon Ephellon pinned this issue Mar 5, 2020
@Ephellon
Copy link
Collaborator Author

Ephellon commented Mar 5, 2020
edited
Loading

If Mozilla disagrees with this, then the Firefox version will be moved to a different branch and no longer supported for future releases and features.

Side note, figured out the folder situation (no help from Mozilla's "tutorials"); folders must be located in a root folder named \data. Still not sure about Opera, as it strictly blocks the extension when a folder named data is found.

@Ephellon Ephellon added the in-trouble this item is supported, but may be deprecated soon label Mar 5, 2020
@Ephellon
Copy link
Collaborator Author

Ephellon commented Mar 6, 2020

They posted a reply 6 hours ago, saying "[No, follow the guidelines you've agreed to]." Fair enough, someone else will have to port Firefox from now on, sorry.

I'll fix what they've recommended and drop support at v4.2.0.0

@Ephellon
Copy link
Collaborator Author

Ephellon commented Mar 6, 2020
edited
Loading

v4.2.0.0 should be coming out in 3 months (90 calendar days)

@Ephellon
Copy link
Collaborator Author

Currently working on an Import / Export feature... This should satisfy Mozilla's requests?

Import/Export managers via JSON files (download option not available for Firefox)
image

Import/Export settings via JSON files
image

@Ephellon
Copy link
Collaborator Author

Alright, starting from "scratch," will be a few months, maybe a year (at most). I'm going to build v5, and somehow implement Mozilla's "requests"

@Ephellon Ephellon mentioned this issue Mar 30, 2020
Open
@Ephellon Ephellon mentioned this issue May 3, 2020
Open
@Ephellon Ephellon mentioned this issue Jan 2, 2021
Open
@Ephellon
Copy link
Collaborator Author

Ephellon commented Apr 3, 2021

Alright, starting from "scratch," will be a few months, maybe a year (at most). I'm going to build v5, and somehow implement Mozilla's "requests"

↑ Get rekt nerd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Ephellon Ephellon

Labels
cant-fix requests that can't be fixed by the developers (usually user oriented actions) discussion open ended forum to keep some issues down firefox-only requests that involve only the firefox version in-trouble this item is supported, but may be deprecated soon question requests that are questions, rather than informative statements wiki requests that can be added to the Wiki for future users
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Ephellon