Find below the reasons for rejection. Personally I think those are valid concerns from AMO regarding Radical, it'd require changes upstream tho. If anyone is interested in picking up the ball feel free to fork and mention in https://github.com/vector-im/riot-web/issues/14643
Rejected by Wall-e 18 minutes ago
Sorry for the delay, we validated your sources and the build process. We can go further in the review process.
This version did not pass the review because of the following issues:
1) We saw that you have a sandboxed iframe with attributes allow-scripts allow-same-origin. Please remove it as it considered a dangerous practice and creates the risk of remote script execution.
matrix-react-sdk\src\components\views\elements\AppTile.js - L. 524
2) We don't allow add-ons to use remote scripts because they can create serious security vulnerabilities. We also need to review all add-on code, and this makes it much more difficult. Please insert those scripts locally from your add-on code.
3) This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means. Aside from being inefficient, this is a major security risk.
Remind that established libraries must be included from their official source, in their original format without any modification (changing the file name does not matter). Please note that only stable releases are acceptable (not beta, pre, RC, dev etc) and that third party CDNs are not considered official sources.
Please provide us with valid links to the third party library you are using.
Find below the reasons for rejection. Personally I think those are valid concerns from AMO regarding Radical, it'd require changes upstream tho. If anyone is interested in picking up the ball feel free to fork and mention in https://github.com/vector-im/riot-web/issues/14643
Rejected by Wall-e 18 minutes ago
Sorry for the delay, we validated your sources and the build process. We can go further in the review process.
This version did not pass the review because of the following issues:
1) We saw that you have a sandboxed iframe with attributes allow-scripts allow-same-origin. Please remove it as it considered a dangerous practice and creates the risk of remote script execution.
matrix-react-sdk\src\components\views\elements\AppTile.js - L. 524
2) We don't allow add-ons to use remote scripts because they can create serious security vulnerabilities. We also need to review all add-on code, and this makes it much more difficult. Please insert those scripts locally from your add-on code.
riot-web\scripts\build-jitsi.js - L.17
matrix-react-sdk\src\components\views\auth\CaptchaForm.js
3) This add-on is creating DOM nodes from HTML strings containing potentially unsanitized data, by assigning to innerHTML, jQuery.html, or through similar means. Aside from being inefficient, this is a major security risk.
For more information, see https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Safely_inserting_external_content_into_a_page .
Here are some examples that were discovered:
matrix-react-sdk\src\components\structures\RoomDirectory.js - L. 526
matrix-react-sdk\src\components\views\dialogs\ReportEventDialog.js - L. 106
matrix-react-sdk\src\components\views\messages\MFileBody.js - L. 333
matrix-react-sdk\src\utils\MessageDiffUtils.js - L. 29
Also please provide the following information for the next version:
Your add-on includes a third-party library. Please provide the origin of the exact library version you were using and make sure you are using an exact copy of the original maintainer's release version. For more information, refer to https://extensionworkshop.com/documentation/publish/third-party-library-usage/
Remind that established libraries must be included from their official source, in their original format without any modification (changing the file name does not matter). Please note that only stable releases are acceptable (not beta, pre, RC, dev etc) and that third party CDNs are not considered official sources.
Please provide us with valid links to the third party library you are using.
To determine what are valid third part library links follow this link: https://extensionworkshop.com/documentation/publish/third-party-library-usage/#how-to-determine-the-third-party-library-link