[BUG] 7TV Nightly (Self-Distributed) is restricted for violating Mozilla policies

[Inglonias]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest nightly version

• I am using the latest nightly version

What browsers are you seeing the problem on?

Firefox

Current Behavior

Expected Behavior

The addon doesn't break the rules

Steps To Reproduce

N/A

[dathide]

Does the extension really execute remote code?

[Inglonias]

I don't know, but in an abundance of caution, Firefox disables the add-on automatically and throws up a bunch of scary warnings, which I have decided to heed for the time being.

[Qbreak]

I have the same problem. I can't install from the file. even if I change the signing settings, it still gives the error that it can't be verified.

[furu00]

same

[alepouna]

I use Zen (Firefox fork) and asked in the community there cause I also faced this and I was given this answer for anyone interested as a workaround:

If you install the MV2 (manifest v2) version, extract it and go to about:debugging > This Zen on left side > Load Temporary Add-on > Load the manifest.json file in the extracted folder it works

[ilianoKokoro]

@alepouna
This probably works, but it would get removed on browser restart.

[Soccera1]

@alepouna This probably works, but it would get removed on browser restart.

If it's anything like vanilla Firefox, it gets enabled for a certain amount of time, and then gets automatically disabled. Afaik it's not browser restarts, but rather time.

[pmrt]

@dathide : Does the extension really execute remote code?

Yeah, it's probably because of this (extract of README):

This repository is adapted as a BrowserExtension. It uses a manifest.json and the Extension API to run inside a browser.

The site-specific content and logic, however, runs as a Site Script, sectioned off by origin under src/sites. The Extension Content Script (src/content/content.ts) acts as a Loader for the site script, which is where the actual logic for modifying websites is located.

We do not use Isolated Worlds as we must access internal values from the website, which is not possible under an Extension Isolated World (content script).

So it seems that the extension dynamically loads a different script depending on the site (youtube or twitch). Not the best security wise as they could change the script which doesn't live on Firefox (or any other extension stores) servers without any notice even if automatic updates are disabled and also escapes firefox reviews (but well the default method to install it on 7tv.app is manual download of the .xpi file from 7tv.app so...).

If this extension gets hacked or an evil actor buys it (and it wouldn't be the first one) this could be a serious security issue.

For future-proof and given the user base I really really suggest and recommend this to be addressed with no workarounds. It needs a code/dev-tools restructuring and a new version bump probably, which I know is not a fun thing to do but IMO it's worth it in the interest of the security of your users.

EDIT. On second thought, I think this extension was originally designed that way because it read/modifies html elements of external sites (twitch, youtube) and on every build they probably change and break your extension, so it requires to be updated more frequently than the store reviews take to be approved. As a suggestion, your extension could read a list of rules in a .txt (or any allowed file) and you could update the extension html injection rules without waiting for store review approvals (like the filters of uBlock Origin), which would mean no dynamic remote code execution needed.