I've developed my first addon using the WebExtension api.
Is it allowed to obfuscate my background and options javascript files? (for example removing all newlines and/or rename my descriptive variable names)
There is a little note in the "Signing and distributing your add-on" doc:
You should not obfuscate your code to bypass validation warnings. That practice can lead to your add-on being rejected and
potentially blacklisted.
https://developer.mozilla.org/en-US/Add-ons/Distribution
But if i understand correctly this only regarding obfuscation to bypass warnings.
Yes, it is permitted to obfuscate or minimize your code. Mozilla's Review Policies are quite clear regarding Review Policies:Source Code Submission:
Listed and unlisted add-ons may contain binary, obfuscated and minified source code, but Mozilla must be allowed to review a copy of the human-readable source code upon request. In such cases, the author will receive a message from Mozilla asking for their assistance in the review. The submitted source code will be reviewed by an administrator and will not be redistributed in any way. The code will only be used for the purpose of reviewing the add-on.
Instructions for reproducing obfuscation are also required, please read the details of this guideline to ensure a swift review.
If your add-on contains code that you don't own or can't get the source code for, you may contact us for information on how to proceed.
There is, in fact, a page dedicated to describing Source Code Submission (linked in the quote above).
The basics of the requirements are that if you choose to minimize or obfuscate your code, then you need to:
Upload the unminimized and unobfuscated code as part of the submission to AMO (this version of the code is not distributed; it's only used for review).
Provide detailed instructions of how to produce the minimized/obfuscated code. They must be able to exactly reproduce the minimized/obfuscated code you have provided.
Providing minimized/obfuscated code will increase the amount of time required for your review. Your review will be an "admin" review which has a much smaller pool of reviewers, which is part of what makes it take longer.
Related
Thank you for giving me a piece of your time. This question really isn't a "how to", but more of a "is this possible or am I just insane?". I've recently looked at some portfolio pages and found a really great idea from https://flexdinesh.github.io/, but in the "portfolio" section instead of having just the characteristics of the project, is it possible to somehow use the Github API or some other equivalent to extract and present data like number of commits (or the table that github shows on your project page) and what project type it is (i.e. Java, Javascript, etc.) and maybe even some more related information. For background I am using React with Node.js. Again, this is probably useless to everyone out there, but I think it could be something cool if A) it actually exists, and B) it's not too much of a pain to implement. I've tried reading up on the documentation from Github, looking online, and looking at different source code, but no luck there. If anyone has any information or feedback I'm always open to help!
Thank you and have a good day
from what I understand, you want to display statistical information about the projects on your portfolio website.
Github provides an API that can get almost all the information you see on their website
so, to get all the languages being used in repository you can do a GET request on https://api.github.com/repos/:owner/:repo/languages,
To get the number of commits you can do a GET request on https://api.github.com/repos/:owner/:repo/commits
and so on
By default, these will get you the data of the public repositories, if you want to display info from your Private repositories, you need to provide an authentication token with each request.
You can read more about the API calls available here
let me know if you need any more help
I am trying to develop a contextual gadget, but not getting any documentation for it. Google provides a document which is very old and not updated from long time. Process explained in that documentation to develop a gadget is deprecated.
Please if anyone have solution, help me.
You may want to check full documentation in Gmail Contextual Gadgets which was last updated June 29, 2016.
To develop a Gmail Contextual Gadgets, you may want to first check the given implementation parts also discussed in the documentation. Then, you may go through these summary of steps:
Use JQuery, or write JavaScript that conforms to ECMAScript 5 Strict Mode.
Note: You need to be using the correct development frameworks to provide an extra layer of protection between your gadget's potential vulnerabilities and your end users. To find out why, see Using the right frameworks for security.
Choose one or more pre-canned extractors. This determines which type of content will trigger your gadget.
Write a manifest for the gadget.
Write the gadget spec. This determines what the gadget will do when it is triggered.
Publish the gadget spec to a location which is accessible on the public Internet. An intranet will not work. Your hard drive will not work. (Why? Google's servers need to download the gadget. If they can't reach it, then Gmail can't display it.)
Install the gadget.
Test the gadget by sending yourself some email. The gadget should appear in Gmail whenever you read an email that contains the right sort of content. For more tips on testing gadgets, see Publishing Your Gadget in the gadgets API site.
It will really help if you go through the documentation as there are best practices, limitations and important details that you should note.
This related SO post might also help.
I don't know when this started happening or if things have changed but the _host_Info param is not being passed by the framework to my Excel Add-In in Excel Online.
It passes an empty "et=" parameter which is OK in this case since I'm in dev mode. The Excel desktop client is still passing it.
This is required by my add-ins to switch functionality between Excel Online and Excel for Windows.
I've checked the docs and can't find that anything has changed.
To append to Sudhi's answer: with the official API coming as per the link in Sudhi's answer, we've gone ahead and also added a "shim" for the API in the OfficeJsHelpers library.
The shim still uses the workaround code that Sudhi mentions -- window.sessionStorage['hostInfoValue'] -- but it wraps it in an API very similar to what is coming in the official Office.js. Once the official API is available, we'll switch the shim code to make use of that instead. The beauty of this approach is that if you use OfficeJsHelpers via an NPM package, all you have to do is update your package dependency, and you'll suddenly go from an unofficial and potentially-fragile workaround to an API that relies on 100% officially-exposed properties -- all without changing your own code! Likewise, if at that time you decide to switch back to using the official Office.js version, the similarity of the APIs (essentially just namespace differences) should make it trivial to switch over the implementations.
The helper APIs are OfficeHelpers.Utilities.host (which will return WORD, EXCEL, etc.) and OfficeHelpers.Utilities.platform (which will return IOS, PC, OFFICE_ONLINE, or MAC). The constants are defined in OfficeHelpers.HostType and OfficeHelpers.PlatformType.
You can find the NPM package at https://www.npmjs.com/package/#microsoft/office-js-helpers, and either install it via NPM, or use a CDN like Unpkg to quickly try it out: https://unpkg.com/#microsoft/office-js-helpers#0.4.2/dist/office.helpers.min.js
console.log(OfficeHelpers.Utilities.host);
console.log(OfficeHelpers.Utilities.platform);
if (OfficeHelpers.Utilities.platform === OfficeHelpers.PlatformType.OFFICE_ONLINE) {
console.log("Yep, I'm on the web client");
}
I hope you find the above helpful as an interim measure, and we'll be sure to update this StackOverflow thread (and the OfficeJsHelpers code) once the official API is released.
Jim and others who may be affected by this change: it is unfortunate that an unrelated change meant to improve the add-in experience caused the query string parameter in online platform to be removed. Note that URL query parameters and session storage settings are used to launch and setup the add-in environment and are not meant for developer consumption. However, we understand the importance of this to the developers as described in this thread.
Hence, we are adding formal APIs to make this information available. Please see the specs that describes upcoming APIs: https://github.com/OfficeDev/office-js-docs/tree/ContextAdditions_OpenSpec
Until the APIs become available (should be very soon), you could use the following temporary workaround. The same query host_info_ parameter value is available in the following variable: window.sessionStorage.hostInfoValue. Please note that this should be considered a temporary measure and you should switch to using the formal API as soon as they are made available. I'll update the this thread when the API is released, which should be available for all supported Office versions.
If you have any comments, please leave your comments on the specs directly in Github specification branch using the links provided.
UPDATE:
Please see my answer above, instead (https://stackoverflow.com/a/40963500/678505), as the scenario is now possible.
[Old response:]
Jim, could you describe your scenario more? Why is it that you need to distinguish between Online and Desktop?
For the disappearance of host_info_: you won't find it in the docs, because host_info_ was never in the docs. Anything not documented is an internal API, which might change as needed by the internal workings of Office.js. We take back-compat very seriously, but only for actual official documented APIs.
Without an API, there's not much you can do to tell the two apart (or rather, not without relying on other bits of internal workings which might also change over time). We've discussed this internally before, but found it surprisingly difficult to point to a particular scenario where the platform information was necessary and legitimate ("legitimate" in the sense that if you're using platform information to check whether an API is available, for example, that's precisely what we don't want you to do; we want you to use Office.context.requirements.isSetSupported instead).
If you can share your scenario details, I might be able to advise an alternate way of determining whatever you need, or have a solid scenario to bring back to the team.
I'm currently developing a Chrome extension and planning to publish it on Chrome market. I'm aware of open-source community benefits, however, do not want to share the source code and a bit worried about copyrights. Currently, the plan is to minify and obfuscate the source code before publishing. So the questions is:
Does Chrome Market accept extensions with minified and/or obfuscated source code?
Thanks in advance! :)
Any existing answers above have been rendered obsolete by the terms change on January 1st, 2019. This change was announced on October 1st, 2018.
In summary:
Google Allows minified code.
Google disallows obfuscated code.
The specific policy, available at https://developer.chrome.com/webstore/program_policies, is as follows:
Developers must not obfuscate code or conceal functionality of their
extension. This also applies to any external code or resource fetched
by the extension package. Minification is allowed, including the
following forms:
Removal of whitespace, newlines, code comments, and block delimiters
Shortening of variable and function names
Collapsing files together
2019 Update:
Google allows minified code, but not obfuscated one. See Brian's answer
Original answer:
Yes, you can use obfuscation tools (like jscrambler) before publishing your extension. I don't know if that may delay the publishing time, but I know for sure that are some published Chrome extensions with obfuscated/minified source code.
I, for instance, minify the code of my extension (LBTimer) with Google's Closure before publishing it.
It looks like they don't approve minified and obfuscated code. You can check thread on the Chromium Google Group, from April '16.
https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/1Jsoo9BPWuM
No, you cann't. This is email I received from Google Chrome Team: All
of the files and code are included in the item’s package.
All code inside the package is human readable (no obfuscated or minified code).
Avoid requesting or executing remotely hosted code (including by referencing remote javascript files or executing code obtained by XHR requests).
You can get a more specific answer if you contact the Google Chrome team.
Update with own experience:
I wasn't able to submit a build obfuscated with this javascript-obfuscator (more specifically, gulp version in my case) They were complaining about "your code is suspicious" so I guess something triggered an alert in their system.
However uglyfy worked for that - I still had to figure out a way to rename all the prototype functions as uglify doesn't seem to do that (or at least I wasn't able to find a way to do that)
Original answer:
To sum up, it seems like chrome extensions are allowed to be minified and obfuscated.
For more details, keep reading.
First of all, there are two different terms - chrome extension and chrome app and different rules applies based on that. Chrome app has more strict requirements and it seems like mcastilloy2k's answer is suitable for chrome app (at least it looks like it is based on the available policies for both).
And regarding the below google's answer:
Avoid requesting or executing remotely hosted code (including by
referencing remote javascript files or executing code obtained by XHR
requests).
If it's for chrome extension and not for chrome app that seems strange as per the extension FAQ from google which explicitly states that extension is allowed to make external requests to execute custom API aka 'remotely hosted code':
Capabilities
Can extensions make cross-domain Ajax requests?
Yes. Extensions can make cross-domain requests. See this page for more
information.
Can extensions use 3rd party web services?
Yes. Extensions are capable of making cross-domain Ajax requests, so
they can call remote APIs directly. APIs that provide data in JSON
format are particularly easy to use.
Can extensions use OAuth?
Yes, there are extensions that use OAuth to access remote data APIs.
Most developers find it convenient to use a JavaScript OAuth library
in order to simplify the process of signing OAuth requests.
Another discussion in this google groups thread shows that rejection might not be connected with obfuscation at all:
Eventually, these are the things I needed to do to get my extension
passed (but I keep my fingers crossed in case some other validation
test still has to be performed):
I created a privacy policy and added a link to it on the Google Chrome developer dashboard.
I explained in more detail what my extension is doing. It seems that Google needs this to have a better understanding of the extension.
In the description I explicitly stated how the extension handles personal or sensitive user data.
Eventually that was enough to get the extension
pass the checks even with minified & obfuscated code (but remember I
keep my fingers crossed).
Moreover one can always go and check existing extensions out there, like Grammarly for example, who has obfuscated code (to some extent at least) and who uses external API.
I would like to implement the following use case as a Chrome extension:
user visits gmail
exension checks current email body for a keyword
if a keyword is present, a gmail filter is added and saved (adding label, archiving, the details are not important here)
The first part sounds easier: there is gmail API to work with and even a gmail.js project that should make it easier.
Adding filter seems to be much harder. There is email settings API doing precisely what I want but I am fairly sure it is usable only by business accounts (custom email domains, won't work for gmail.com). I want the solution to be more universal.
One thing I thought of was to use browser automation - upon seeing the trigger keyword, the script automatically clicks 'Add filter' link, waits for AJAX, sets filter parameters and confirms.
An example of simulated user activity is in this answer
This could happen either on gmail page behind the popup ('Please wait, adjusting filters') or in background tab to keep it from interfering with user's flow. This seems like ugly workaround for me, though.
Is there a more straightforward or simply better approach that I'm missing?
After more experimentation and reviving an older github project I found out that setting the filter for a logged in user can be achieved simply by issuing a specific POST message to gmail from the current session.
I don't fully understand the parameters used in this request (if anyone has better information, please share), but I found a sample code which was greatly helpful.
Second issue, widely discussed in gmail.js community, is that Gmail security policies will prevent you from injecting your own scripts. This is bypassed by method shown in this boilerplate project
I compiled these solutions to solve my particular use case. Here is an example project with my solution, which should work out of the box - and when in doubt, see readme.