Closed Bug 1541010 Opened 5 years ago Closed 4 years ago

Extension Block Request: Sourcegraph for Firefox

Categories

(Toolkit :: Blocklist Policy Requests, task)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: TheOne, Assigned: TheOne)

Details
Extension name Sourcegraph for Firefox
Extension versions affected <all versions>
Platforms affected <all platforms>
Block severity soft

Reason

Remote script injection

Extension GUIDs

sourcegraph-for-firefox@sourcegraph.com

Additional Information

At this time, I don't believe the add-in is malicious. The developer has been contacted several times with requests to assist in the code review and remove the remote script jnjection, without any response.

Assignee: nobody → awagner
Status: NEW → ASSIGNED
Type: defect → task

The block has been staged. Philipp, can you please review and push?

Flags: needinfo?(philipp)

Hi Andreas,

This add-on is intended to be self-hosted and self-distributed, not listed on AMO. It was most likely unintentionally listed when it was first signed using web-ext sign.

The AMO listing can be disabled, but it was our understanding that remote script execution was not an issue if the add-on was only self-hosted.

The source code of the add-on and its built process are open-source: https://github.com/sourcegraph/sourcegraph/tree/master/client/browser

How can I help further to solve this?

Flags: needinfo?(awagner)

Hi Loic,

our add-on policies state that "Add-ons must be self-contained and not load remote code for execution". On the top of that page, it states that "All add-ons are subject to these policies, regardless of how they are distributed".

Furthermore, we have reached out to you submit human-readable source code following our requirements for that.

Please ensure that you read and follow all policies and provide the information requested previously.

Thank you.

Flags: needinfo?(awagner)

(In reply to Andreas Wagner [:TheOne] [use NI] from comment #3)

Hi Andreas,

I have just added reviewer notes to access the human-readable source code for our add-on and reproduce its build steps to the latest version in AMO (v19.4.2.1038)

Loic, we ask you that you go through the documents, adhere to all policies and meet the requirements we set for source code submission.

For review specific questions or comments, please reply to the reviewer email or on the developer hub.

Thank you.

(In reply to Andreas Wagner [:TheOne] [use NI] from comment #5)

Andreas,

I had in fact replied to the reviewer email in response to your review on v19.3.20.1223 of the add-on, a week ago. Did that not get through?

As I mentioned in that email and in the above comment, we believed the restrictions to apply to listed add-ons only, and did not realise they would also apply to self-hosted extensions. We merely used AMO to sign our add-on using web-ext sign.

I have provided instructions on AMO that will allow you to access the source code, review it and reproduce the its build process. If they're not adequate, let me know through the review system, and I'll be more than happy to provide the information you need. Again, all of our add-on's code is open source.

I can assure you we're acting in good faith. Would it be possible to remove the block while we work with you to solve this?

Done

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(philipp)
Resolution: --- → FIXED

Loic, we are getting a little off-topic for this bug. Can you please contact us directly at amo-admins AT mozilla DOT org? Thanks.

After talking to the developer, we have decided to lift the block for the latest version while they are working on a compliant version. I am reopening this bug instead of filing a new one to help keeping track of the actions taken for this add-on.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Philipp, the block has been updated. Can you please review and push?

Flags: needinfo?(philipp)

Done

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Flags: needinfo?(philipp)
Resolution: --- → FIXED

The developer has not been able to make the add-on compliant to our policies at the current time, therefore we are reinstating the soft block.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

The block has been staged. Andreas, can you review and push?

Flags: needinfo?(awagner)

Done.

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Flags: needinfo?(awagner)
Resolution: --- → FIXED

Edit: Nevermind...

Flags: needinfo?(jorge)
Flags: needinfo?(jorge)

Updating the block to be partial from 0 to 20.5.20.1516. Once users have updated we can also consider making this a hard block given newer Firefox will only support those anyway.

Stuart, can you review and push?

Status: RESOLVED → REOPENED
Flags: needinfo?(scolville)
Resolution: FIXED → ---

Update approved and pushed.

Status: REOPENED → RESOLVED
Closed: 5 years ago4 years ago
Flags: needinfo?(scolville)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.