Mozilla has announced that, starting from June 10, Firefox add-ons containing obfuscated code will no longer be allowed on its Add-ons portal and will be blocked.
“We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included,” Caitlin Neiman, Add-ons Community Manager at Mozilla, explained.
“If your extension is using obfuscated code, it is essential to submit a new version by June 10th that removes it to avoid having it rejected or blocked.”
Why obfuscated code is no longer accepted
Mozilla’s rejection of extensions with obfuscated code comes roughly seven months after Google stopped accepting Chrome extensions containing it.
At the time, the company explained its decision by noting that over 70% of malicious and policy violating extensions that they block from Chrome Web Store contain obfuscated code.
While obfuscation is not used exclusively to hide malicious code, it is difficult to review quickly – and that’s Google’s and Mozilla’s main beef with it, it seems.
Google, like Mozilla, allowed add-on developers to continue to use minified code.
More strict extensions blocking
Neiman also announced a more proactive approach to extensions blocking.
“We will be blocking extensions more proactively if they are found to be in violation of our policies. We will be casting a wider net, and will err on the side of user security when determining whether or not to block,” she noted.
“We will continue to block extensions for intentionally violating our policies, critical security vulnerabilities, and will also act on extensions compromising user privacy or circumventing user consent or control.”
A block means tha the add-on is disabled in Firefox and users are unable to override it and continue to use the extension.
Mozilla also does “soft” blocking of add-ons that cause severe stability and performance issues in Firefox or contain non-critical policy violations. In that case, users can override the block.