Actually, exactly because of a small subset of total extensions that are subjected to greater vetting, I don’t understand the conclusions of AMO review team either:
It takes only a few seconds to see how this is nonsensical – keep in mind that this “was manually reviewed by the Mozilla Add-ons team”:
- “For add-ons that collect or transmit user data, the user must be informed and provided with a clear and easy way to control this data collection”
Where is the “data collection” in this file? - “Your add-on contains minified, concatenated or otherwise machine-generated code”
Where is the “minification” in these files?- https://github.com/uBlockOrigin/uBOL-home/blob/98f47e66b60fa9e0ac6b076cd8c5567ce7152498/firefox/web_accessible_resources/fingerprint2.js
- https://github.com/uBlockOrigin/uBOL-home/blob/98f47e66b60fa9e0ac6b076cd8c5567ce7152498/firefox/web_accessible_resources/google-analytics_analytics.js
- https://github.com/uBlockOrigin/uBOL-home/blob/98f47e66b60fa9e0ac6b076cd8c5567ce7152498/firefox/web_accessible_resources/google-analytics_ga.js
- https://github.com/uBlockOrigin/uBOL-home/blob/98f47e66b60fa9e0ac6b076cd8c5567ce7152498/firefox/web_accessible_resources/googletagservices_gpt.js
- “Also, if your add-on is listed on addons.mozilla.org, the listing needs to include a privacy policy, and a summary of the data collection should be mentioned in the add-on description.”
Right, it’s always been there since the first version published on AMO more than a year ago
If anything, it just means that the reviewing process is not that great of scrutiny and vetting. I even suspect, some of these review processes are automatic than manual. The code line to review for the faulty files above is… 50 lines.
I totally understand code auditing is a hard job, but I only understand if the tricky codes are the complex ones. For these I can’t understand.
He pulled the extension out because AMO team themselves remove all but the first, very out-dated version on AMO. That’s a huge bug and security risks for any new users installing uBOL. Pretty sure he’ll do the same if uBO gets the same treatment.
Also for who thinks enabling per-site makes more sense, then no. Some of the abilities that are not possible under Basic mode is removing tracking parameters, which is why the whole AdGuard URL Tracking Protection list is greyed out in that mode, because that whole list cannot be used without further permissions, and that list is recommended by PG itself. Enabling per-site does not make sense in these cases, since the tracking parameters are already loaded before you can manually choose to higher modes.
Not really related to permissions, but another feature is the ipaddress= which protects against 0.0.0.0 exploits, is not available for uBOL either.