Paulo Andrade

Keeper of Secrets.

twitter github stackoverflow linkedin email
Firefox Add-ons Review Madness
Mar 22, 2021
5 minutes read

I’ve been dealing with Apple’s App Review team for so many years now I could probably write a book with the stories I have from it. But little did I know the most ridiculous story would not come from Apple, but from Mozilla’s Add-ons review team.

And do note I got some pretty ridiculous stories from Apple.

Secrets for Firefox

Last week I launched Secrets 3.6 and with it comes a new feature that required updates to the browser extensions.

As usual, I package up my extensions and submit them to both the Chrome Webstore and Mozilla’s Developer Hub. The Firefox submission is a bit different however. Since I use browserify they require me to upload the source code and build instructions alongside the packed up extension. That has always been the case.

The Chrome extension is accepted and goes live shortly after but the Firefox doesn’t pass review. Apparently they can’t follow the instructions:

Installation instructions:

1. install browserify
$ npm install -g browserify

2. install jq (
# installation differs depending on platform, but can also be installed with node
$ npm install node-jq -g
# if installed via node, the path to jq needs to be added to PATH
# so I definitely recommend using your system package manager (apt, brew, etc)

3. build 
$ make dist/firefox

The extension is now on dist/firefox.

On the rejection e-mail there’s a log of the shell interaction from the reviewer, and I can see he mistakenly read the command for step 3 as build instead of make dist/firefox. He eventually types the correct command but fails shortly after because of /bin/sh: 1: pushd: not found. This would be trivial to overcome for any developer I know (pushd is not available in sh but it is on mostly any other shell like bash)1 but since he’s probably already frustrated by his earlier mistake he calls it quits. And I would have been fine with that, no one knows everything… except he not only denied the update but HE DISABLED ALL VERSIONS OF THE EXTENSION 🤬. So none of Secrets' users can download the extension at this point.

In the week that I’ve just released an update to Secrets, this isn’t good news at all.

I make a change to my Makefile and add SHELL = /bin/bash and submit another update. Still denied. He sends me the logs (in Google Drive this time). I have a look at them and I don’t see any errors. The build completed successfully.

I let him know the extension is in dist/firefox as per the instructions. He replies the build doesn’t match the .xpi. I reply asking for more details on what doesn’t match and state that I don’t upload a .xpi but a .zip of the folder he already has built on his machine. He uploads his build to Google Drive and instructs me to use a diff tool to find the differences (I haven’t had to do this before for any of the other updates). I use DiffMerge and can see the files generated by browserify have differences.

A quick search on Google and I find an open issue on browserify. Sure enough one of the comments is of someone else having the same issue with Firefox Add-on review.

I’ve now made some changes to my dependencies to try and make browserify’s output deterministic. I also made the build instructions a single step. Still haven’t heard back from them.


As of writing, it’s been 7 days since the extension was removed, simply because they could not build an update. And I find this behaviour extremely arrogant. But unfortunately, it was not my first encounter with it.

With a previous update, after it was already made available I got a e-mail stating that a reviewer needed to be able to build the WASM file included in the extension or they would remove the extension within 15 days. I immediately reply stating that file comes from this dependency (which is listed on the node dependencies of the source code I upload) and give him the build instructions.

Then 12 days of silence.

Fearing a removal, I ask if there’s something wrong. The reviewer replies that he’ll review it again later that day and eventually comes back saying he can’t build it and sends me the logs. There’s like 2 days left for the 15 day timeframe they gave initially, so I stop everything I’m doing to figure this out. I’m able to reproduce his error with the most recent version of node, so I make a few changes and issue a PR to the original repo so that this reviewer can build.

Who would’ve thought that by submitting a Firefox extension I was signing myself up to maintain all of my dependencies building on the most recent versions of node?

Coincidence or not, both of these events were with the same reviewer. And if you have a feeling I was dealing with a script kiddie who thinks he’s an “3l1t3 h4x0r” because he’s on the Firefox review team, know that all this time I’ve been interacting with someone who goes by “unicorn2020”…

Update: Shortly after writing this post, the extension was finally approved. My extension is no different than it was 7 days ago.

  1. This pushd issue has happened in the past with another reviewer, at the time I simply explained what the command was and it went through. Silly me for not fixing the issue then for good. ↩︎

Back to posts