Propose extension for AMO's Recommended Extension program

[fbender]

I understand this extension is in early stages, but I believe the security sensitivity aspect of it will sooner than later warrant an external security review. This, alongside the visible indicator (like a "certificate" for the review) for other Firefox users to see that they can trust this extension, can be provided through the "recommended extension" program on addons.mozilla.org (plus I'd say it's a pretty essential extension on macOS that Mozilla would be keen to promote).

Info on how to apply, relevant section:

If you’d like to nominate an extension you feel deserves consideration for the Recommended program—even if it’s one of your own—please email us a link to its AMO listing page at amo-featured [at] mozilla [dot] org and briefly explain why you think your extension should be considered for the Recommended list.

[au2001]

While I totally agree with the benefits of an external security review and enhanced technical verifications for each update, I feel like this extension does not yet meet Mozilla's criterias for Recommended extensions.

I will thus focus my efforts on meeting the following requirements before nominating the extension:

• Does the extension function at an exemplary level?

  13

  12

• Is the extension relevant to a general, international audience?

  10

[fbender]

I think one other aspect, also in light of a security audit, is to minimize the footprint of the code, both in terms of LoC and external dependencies. Two things that immediately came to my mind:

• SJCL: It's certainly a good, well-reviewed library. However, if at all possible, it would be better to use the browser's internal crypto library. I don't know if the required cyphers and APIs are available through the SubtleCrypto interface, though, so you can answer better whether replacing SJCL makes any sense at all :)
• React: While I assume you chose this library for simplicity and your personal experience and DevEx, it's a rather heavy dependency for some small-ish Frontend interaction. Replacing React with WebComponents + JS (or something like lit or even vue for some better DevEx) would go a long way to reduce the footprint. This is certainly a controversial suggestion; if you are open to it, I'd be interested in taking a stab at this.

I'm sure you have further ideas to keep the footprint small. Would you agree to the idea that I open a ticket to track this work? I understand if this is out of scope and distracting, so I figured I ask first :)

[au2001]

I definitely agree on keeping the footprint small. You can indeed open an issue to track that.

SJCL was used for SRP because that's what Apple's extension uses too. It's required for AES encryption/decryption, SHA256 hashing, big numbers, bit array manipulation, binary/hex/base64/utf8 transcoding, and a bunch of known group constants. Those are all very standard, so that should be feasible with the browser's built-in libraries or a very lightweight library.

As for React, I'd be happy to consider your PR if you wish to open one. I'm familiar with most frameworks, so building on top of that wouldn't be an issue for me. lit and Svelte are both good options in my opinion.

Two more things that come to mind are webpack and webextension-polyfill:

• I used webpack, but it doesn't provide the best performance nor bundle size. Tweaking the settings or switching bundler altogether could provide substantial benefits.
• The polyfill shouldn't be needed on Firefox, it is installed only for the extension to be compatible as-is on Chrome (just by changing background.scripts to background.service_worker in meta/manifest.json). Two separate bundles could be generated instead. One for Firefox without the polyfill, and another for Chrome with the polyfill and edited manifest.