web-to-plex icon indicating copy to clipboard operation
web-to-plex copied to clipboard

Published 20 hours ago • verified publisher icon SpaceK33z

Issue: Firefox has been disabled (by Mozilla)

Open Ephellon opened this issue 4 years ago • 6 comments

Describe the error

Mozilla posted a message (I found out by trying to check the Add-on link) 
This add-on didn't pass review because of the following problems:

1) Extensions defining a content security policy that allows eval ('unsafe-eval') are generally not allowed for security and performance reasons. eval is only necessary in rare cases. Please use a different method or explain why eval is required in your add-on.

2) This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means. Aside from being inefficient, this is a major security risk. For more information, see https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page . Here are some examples that were discovered:
- options.js lines 577, 585, 695

3) We don't allow add-ons to use remote scripts because they can create serious security vulnerabilities. We also need to review all add-on code, and this makes it much more difficult. Please insert those scripts locally from your add-on code.
- plugn.js lines 514, 586, 603

Also, for the next release, please take care of the following:

1) Your add-on includes a third-party library. Please provide the origin of the exact library version you were using and make sure you are using an exact copy of the original maintainers release version. For more information, refer to https://extensionworkshop.com/documentation/publish/third-party-library-usage/ .
- lodash.min.js

To Reproduce

N/A

Estimated location

N/A

Screenshots

image

Extension Information

  • Version: 4.1+
  • Source: store
  • Browser: firefox
  • Operating System: Windows Mac *nix

Additional comments

I've posted a retort, and will keep this thread updated 
Hi. Is there any way I could be notified the add-on has been disabled other than an obscure e-mail?
====
1. Unsafe Eval (CSP)

A) Used in "options.js" and "utils.js" for `function addListener` (:436 and :3455, resp.) because the event listeners get erased creating a copy of a node (I've already tried getting around this other ways, and chose this as the best route)
----
2. Unsafe DOM Node from HTML Strings

B) I'll just continue converting to those to `document.furnish` (see *1)
----
3. Remote scripts

C) All remote scripts are the exact same as the ones provided in the add-on (see *2). They are hosted remotely so that the user doesn't have to constantly update their add-on whenever a supported site changes... I see how the security concerns come into play, but I've already put in blocking features for access to the user's data (see *3). I believe the extension requires this feature

D) I've changed lodash to be the "full" implementation.
====
Notes:
*1) This doesn't help in any way; it's the same data, but with extra padding surrounding it
*2) From the "scripts" and "plugins" folders at https://github.com/webtoplex/webtoplex.github.io/tree/master/web
*3) See issues #88, and #152 at https://github.com/SpaceK33z/web-to-plex/

Ephellon avatar Mar 05 '20 16:03 Ephellon