Provide your extension source code
Here you can find details of when you must provide your extension’s source code, details of the information you need to provide about the build process, and how to upload your source code.
When must source code be uploaded?
You must upload your extension’s source code when its code was created using:
Any source code that you submit is only accessible to a small group of admin reviewers.
Provide build instructions
An important aspect of reviewing source code is confirming that it’s the same code as used in your extension. This is to ensure that a malware author doesn’t provide legitimate-looking sources, but has added a backdoor to the minified code. It is, therefore, necessary for the reviewer to rebuild your extension from the source code.
To reproduce the build, the reviewer runs the instructions you provided and then uses a diff tool to compare the generated sources to those in the extension. There must be no differences. The easiest way to provide the build instructions is to include a README file with the submitted source code. If it’s one or two files that are processed, for example obfuscated, the instructions can be something like
run uglifyjs data/mycoolstuff.js. If the extension is more complex, provide a script to perform the build. When preparing your instructions, remember to include:
- operating system and environment requirements.
- details, including required version and installation instructions, of any tools or utilities that need to be downloaded, for example, yuicompressor.
- a list of all the commands to generate an identical copy of the extension from the source code, for example, npm install or a grunt target. Ideally, you should include every command in the build script file.
The tools you use to minify, or concatenate your source code:
- must be open source: we cannot verify a build made with commercial tools.
- cannot be web-based: all review builds are run locally. Using a web-based tool doesn’t allow the reviewers to be certain that your sources match the minified code. Some web-based tools offer a version that can be run locally, in which case provide a script to run the tool locally.
When using npm, yarn, or other package management tools that support it, be sure to include the lockfile, for example,
package-lock.json. Otherwise, reviewers may use a different version resulting in differences between the generated code and that in the extension.
Assume the reviewer hasn’t installed any developer tools on their computer, that is, make sure you include all the set-up and build instructions to create your code. However, you don’t need to describe how to install common tools such as npm or node.
Tip: Use a build target relative to the directory containing the source, such as a
dist subfolder. This makes it easier for the reviewer to locate your extension’s built code.
How to upload source code
If you need to provide it, matching source code must be attached to every extension version.
Code submission process happens after the add-on validation step.