Yesterday, Mozilla announced that according to its updated policies, extensions with obfuscated code will not be accepted on its add-ons platform. It is also becoming much stricter regarding blocking extensions that fail to abide by its policies. These policies will come into effect from June 2019. Last year in October, Google also announced a similar policy, which came into effect with the start of this year, to prevent malicious extensions from reaching its extensions store.
If you do not know what obfuscated code means, it is basically writing code that is difficult for a human to understand. Common practices of writing obfuscated code include replacing function or variable names with weird but allowed characters, using reversed array indexing, using look-alike characters, etc. “Generally speaking, just try to find good coding guidelines and to try to violate them all,” said a developer on Stack Overflow.
However, obfuscated code should not be confused with minified, concatenated, or otherwise machine-generated code, which are acceptable. Minification refers to the act of removing all unnecessary or redundant data that do not have any effect on the output, such as whitespaces, code comments, or shortening variable names, and so on.
“We will no longer accept extensions that contain obfuscated code. We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included. If your extension is using obfuscated code, it is essential to submit a new version by June 10th that removes it to avoid having it rejected or blocked,” Caitlin Neiman said in a blog post.
If your code contains transpiled, minified or otherwise machine-generated code, you are required to submit a copy of human-understandable source code and also instructions on how to reproduce that build.
Here is a snippet from Mozilla’s policies:
“Add-ons are not allowed to contain obfuscated code, nor code that hides the purpose of the functionality involved. If external resources are used in combination with add-on code, the functionality of the code must not be obscured. To the contrary, minification of code with the intent to reduce file size is permitted.”
Mozilla also plans to take stricter steps for those extensions that are found to violate its policies. Neiman said, “We will be blocking extensions more proactively if they are found to be in violation of our policies. We will be casting a wider net, and will err on the side of user security when determining whether or not to block.” If users are already using the extensions which have obfuscated, once the policies are employed, these extensions will be disabled.
Many developers are supporting this decision. One Redditor commented, “This is great, obfuscated code doesn’t really belong anywhere in the frontend, since you have access to the code and can figure out what the program does given enough time, so why not just make it readable.”