19 Oct 2020 |
@jplatte:matrix.org | stoic: 👋 | 11:22:49 |
22 Oct 2020 |
| @mopsi:ggc-project.de joined the room. | 23:22:26 |
24 Oct 2020 |
| @jplatte:matrix.org invited @jplatte:privacytools.io. | 23:10:06 |
| @jplatte:matrix.org left the room. | 23:10:15 |
| @jplatte:privacytools.io joined the room. | 23:43:41 |
28 Oct 2020 |
stoic | well, Mozilla decided to reject Radical from AMO
Rejected by Wall-e 18 minutes ago
Sorry for the delay, we validated your sources and the build process. We can go further in the review process.
This version did not pass the review because of the following issues:
1) We saw that you have a sandboxed iframe with attributes allow-scripts allow-same-origin. Please remove it as it considered a dangerous practice and creates the risk of remote script execution.
matrix-react-sdk\src\components\views\elements\AppTile.js - L. 524
2) We don't allow add-ons to use remote scripts because they can create serious security vulnerabilities. We also need to review all add-on code, and this makes it much more difficult. Please insert those scripts locally from your add-on code.
riot-web\scripts\build-jitsi.js - L.17
matrix-react-sdk\src\components\views\auth\CaptchaForm.js
3) This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means. Aside from being inefficient, this is a major security risk.
For more information, see https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page .
Here are some examples that were discovered:
matrix-react-sdk\src\components\structures\RoomDirectory.js - L. 526
matrix-react-sdk\src\components\views\dialogs\ReportEventDialog.js - L. 106
matrix-react-sdk\src\components\views\messages\MFileBody.js - L. 333
matrix-react-sdk\src\utils\MessageDiffUtils.js - L. 29
Also please provide the following information for the next version:
Your add-on includes a third-party library. Please provide the origin of the exact library version you were using and make sure you are using an exact copy of the original maintainer's release version. For more information, refer to https://extensionworkshop.com/documentation/publish/third-party-library-usage/
Remind that established libraries must be included from their official source, in their original format without any modification (changing the file name does not matter). Please note that only stable releases are acceptable (not beta, pre, RC, dev etc) and that third party CDNs are not considered official sources.
Please provide us with valid links to the third party library you are using.
To determine what are valid third part library links follow this link: https://extensionworkshop.com/documentation/publish/third-party-library-usage/#how-to-determine-the-third-party-library-link
| 15:07:10 |
stoic | so i guess i'll drop radical | 15:07:26 |
stoic | not really interested in putting up with that | 15:07:35 |
tulir | does radical-native have a chance? | 15:08:56 |
stoic | RN isn't affected | 15:09:12 |
| stoic changed the room topic to "Extending Element with native capabilities: https://github.com/stoically/radical-native | Current release: 0.1beta15" from "Element as Firefox Add-on: https://github.com/stoically/radical | Current release: 1.7.7 | Extending Element with native capabilities: https://github.com/stoically/radical-native | Current release: 0.1beta15". | 15:16:52 |
| stoic changed the room name to "Radical Native WebExtension" from "Radical WebExtensions". | 15:17:03 |
@jplatte:privacytools.io | In reply to @stoically:matrix.org
well, Mozilla decided to reject Radical from AMO
Rejected by Wall-e 18 minutes ago
Sorry for the delay, we validated your sources and the build process. We can go further in the review process.
This version did not pass the review because of the following issues:
1) We saw that you have a sandboxed iframe with attributes allow-scripts allow-same-origin. Please remove it as it considered a dangerous practice and creates the risk of remote script execution.
matrix-react-sdk\src\components\views\elements\AppTile.js - L. 524
2) We don't allow add-ons to use remote scripts because they can create serious security vulnerabilities. We also need to review all add-on code, and this makes it much more difficult. Please insert those scripts locally from your add-on code.
riot-web\scripts\build-jitsi.js - L.17
matrix-react-sdk\src\components\views\auth\CaptchaForm.js
3) This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means. Aside from being inefficient, this is a major security risk.
For more information, see https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page .
Here are some examples that were discovered:
matrix-react-sdk\src\components\structures\RoomDirectory.js - L. 526
matrix-react-sdk\src\components\views\dialogs\ReportEventDialog.js - L. 106
matrix-react-sdk\src\components\views\messages\MFileBody.js - L. 333
matrix-react-sdk\src\utils\MessageDiffUtils.js - L. 29
Also please provide the following information for the next version:
Your add-on includes a third-party library. Please provide the origin of the exact library version you were using and make sure you are using an exact copy of the original maintainer's release version. For more information, refer to https://extensionworkshop.com/documentation/publish/third-party-library-usage/
Remind that established libraries must be included from their official source, in their original format without any modification (changing the file name does not matter). Please note that only stable releases are acceptable (not beta, pre, RC, dev etc) and that third party CDNs are not considered official sources.
Please provide us with valid links to the third party library you are using.
To determine what are valid third part library links follow this link: https://extensionworkshop.com/documentation/publish/third-party-library-usage/#how-to-determine-the-third-party-library-link
I think 3) is something you might want to pass along to the Element Developers ^^ | 15:45:24 |
@jplatte:privacytools.io | In reply to @stoically:matrix.org
well, Mozilla decided to reject Radical from AMO
Rejected by Wall-e 18 minutes ago
Sorry for the delay, we validated your sources and the build process. We can go further in the review process.
This version did not pass the review because of the following issues:
1) We saw that you have a sandboxed iframe with attributes allow-scripts allow-same-origin. Please remove it as it considered a dangerous practice and creates the risk of remote script execution.
matrix-react-sdk\src\components\views\elements\AppTile.js - L. 524
2) We don't allow add-ons to use remote scripts because they can create serious security vulnerabilities. We also need to review all add-on code, and this makes it much more difficult. Please insert those scripts locally from your add-on code.
riot-web\scripts\build-jitsi.js - L.17
matrix-react-sdk\src\components\views\auth\CaptchaForm.js
3) This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means. Aside from being inefficient, this is a major security risk.
For more information, see https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page .
Here are some examples that were discovered:
matrix-react-sdk\src\components\structures\RoomDirectory.js - L. 526
matrix-react-sdk\src\components\views\dialogs\ReportEventDialog.js - L. 106
matrix-react-sdk\src\components\views\messages\MFileBody.js - L. 333
matrix-react-sdk\src\utils\MessageDiffUtils.js - L. 29
Also please provide the following information for the next version:
Your add-on includes a third-party library. Please provide the origin of the exact library version you were using and make sure you are using an exact copy of the original maintainer's release version. For more information, refer to https://extensionworkshop.com/documentation/publish/third-party-library-usage/
Remind that established libraries must be included from their official source, in their original format without any modification (changing the file name does not matter). Please note that only stable releases are acceptable (not beta, pre, RC, dev etc) and that third party CDNs are not considered official sources.
Please provide us with valid links to the third party library you are using.
To determine what are valid third part library links follow this link: https://extensionworkshop.com/documentation/publish/third-party-library-usage/#how-to-determine-the-third-party-library-link
* I think 3) is something you should pass along to the Element Developers ^^ | 15:45:38 |
tulir | they're probably not actual problems | 15:46:36 |
tulir | not entirely sure about the last one, but the others look sanitized | 15:49:00 |
J. Ryan Stinnett | Sorry to hear about the AMO rejection... I personally hate their policies. 😠You could potentially distribute it outside of AMO? | 16:01:40 |
stoic | can't run unsigned add-ons in stable firefox | 16:02:06 |
stoic | both listed and unlisted add-ons need to be signed through AMO for stable | 16:03:00 |
stoic | s/run/install/ | 16:03:47 |
stoic | maybe that motivates me to put RN on AMO tho :D | 16:08:24 |
stoic | since i'm using that add-on now as well heh | 16:08:56 |
stoic | i guess i should warn people here tho, the add-on will just disappear soon from the browser | 16:13:54 |
stoic | @room heads up: mozilla rejected radical (the add-on that bundled element) from AMO, so it'll soon disappear from your browser (details here), might want to take appropriate measures if it's your only active session. as a consequence i decided to discontinue support. radical-native is not affected and will keep working | 16:16:38 |
pwr22 | Did they give a reason for rejecting it? | 16:20:14 |
stoic | yeah, there's a link | 16:20:43 |
pwr22 | Ah sorry, didn't notice! | 16:20:55 |
kinghat | didnt realize they can remove extensions from ppls browsers | 16:25:42 |
J. Ryan Stinnett | In reply to @stoically:matrix.org can't run unsigned add-ons in stable firefox Yes, but AFAIK you can send the add-on for signing but distribute off of AMO, and then that does not trigger review. | 16:26:47 |
stoic | In reply to @jryans:matrix.org Yes, but AFAIK you can send the add-on for signing but distribute off of AMO, and then that does not trigger review. same policies apply for self-distribution if you want it signed | 16:27:10 |