Mozilla Add-ons Community Blog
Add-ons logo
Categories: developers releases

Security improvements in AMO upload tools

4 responses

We are making some changes to the submission flow for all add-ons (both AMO- and self-hosted) to improve our ability to detect malicious activity.

These changes, which will go into effect later this month, will introduce a small delay in automatic approval for all submissions. The delay can be as short as a few minutes, but may take longer depending on the add-on file.

If you use a version of web-ext older than 3.2.1, or a custom script that connects to AMO’s upload API, this new delay in automatic approval will likely cause a timeout error. This does not mean your upload failed; the submission will still go through and be approved shortly after the timeout notification. Your experience using these tools should remain the same otherwise.

You can prevent the timeout error from being triggered by updating web-ext or your custom scripts before this change goes live. We recommend making these updates this week.

  • For web-ext: update to web-ext version 3.2.1, which has a longer default timeout for `web-ext sign`. To update your global install, use the command `npm install -g web-ext`.
  • For custom scripts that use the AMO upload API: make sure your upload scripts account for potentially longer delays before the signed file is available. We recommend allowing up to 15 minutes.

4 comments on “Security improvements in AMO upload tools”

  1. Laura VanLaningham wrote on

    I am trying to work with a lot of different browsers and I am a non developer that has developer accounts if I could get a updated notifications alert or just a few emails to add to my team in order to accomplish my team with you. Like SharePoint and Dynamic 365 also Azure Portal it would be great.
    Thank you for your time
    LLVL

  2. Thierry Régagnon wrote on

    This is an important news for developers as it might break their deployment pipelines. I wish it would be more obvious from the blog post title. This blog post asks developers to take urgent actions “We recommend making these updates this week.” but it is not conveyed through the generic title about “Security improvements”.

    Also, having a specific date instead of “These changes, which will go into effect later this month,” would help developers to better prioritize these actions, as they might have other urgent tasks to be done during this month.

    Lastly, this blog post should have been relayed on the “dev-addons” mailing list https://mail.mozilla.org/listinfo/dev-addons to be sure to reach as many extension developers as possible, or to accounts registered as developers on AMO.

    Following breaking changes from Browsers when you are an extension developer is difficult, it would help us a lot if those changes were communicated as efficiently as possible. Thank you.

    1. Caitlin Neiman wrote on

      Hey Thierry, thanks for the feedback. We’ll do our best to incorporate them in the future. 🙂

  3. Nick Carter wrote on

    Security is great BUT you are sending out e-mails such as:

    Your add-on, XXXX, has passed our automatic tests. Version 1.0 is now signed and ready for you to download at https://addons.mozilla.org/developers/addon/9999999/versions. Note that you need to be logged in as a developer of the add-on before downloading.

    and this or shorter versions of it do not work while I am logged on. And do not work outside being logged on. I and I expect others too need some help here.
    Have put this on a and nobody has a clue.
    Thanks