FireFox Addon Creation and Security

Recently I set out to create a site specific FireFox add-on. This became a journey with many rough patches.

One of the most useful things for writing anything that modifies and interacts with a website's content is the jQuery library. It allows for much easier selection, traversing, and manipulation of the content in the webpage. So naturally, I wanted to use it in my add-on. Unfortunately that is much easier desired than accomplished.

I used the SDK provided by FireFox for simple add-on creation. I was able to quickly get a basic site specific add-on that could store data locally, be configured via a button in the toolbar, and manipulate the data on the page based on the specified settings. Proud of how much I had completed I submitted it to be accepted into the official FireFox add-on listing.

After waiting over a month, my add-on was rejected. The only feed back was that the jQuery check sum didn't match any of their jQuery check sums. So I tried again, re-downloading jQuery fresh and dropping it in my add-on. I followed that with a resubmitting of my add-on.

After another month of waiting I was rejected again for the same reason. This time I hopped in the FireFox IRC and had the privilege of speaking directly to the person that had reviewed my add-on.  After talking with him for a bit, I thought I had the answer for getting jQuery into the add-on properly. So I made the changes and submitted yet again.

After a few more weeks I was rejected again. Long story short: While it is easy to get an add-on started up, the review process is long and brutal. For something as simple as see a file named jQuery.js and seeing if it matches a known check sum, I had to wait for weeks. Fortunately I could still distribute the add-on myself to friends that were interested. But that leads me to the security of add-ons.

Add On Security

Add-ons have full access to your webpages. This includes all form data and anything you load, even in secure areas of websites. They see everything you see. It is extremely easy for an add-on to add event triggers to form submissions that send all of your data to a remote server where it can be accessed by the evil add-on creator. This could be the log in to your online banking, your credit card information, or any other personal data. Therefore, you should always be aware of the source of your add-ons and ensure you trust them.