My extension got rejected (by the Chrome Web Store) !
Registering and updating chrome extensions on the Chrome Web Store has become quite a headache since June 2018. Causes for rejection have obviously evolved in the past year and Google people are far from eager to provide the changes, this on purpose. Even worse some of the existing extensions get ousted from the store with obscure reasons, leaving thousands of users in the dark.
Without betraying much of the secrets here is a list of questions you should consider before submitting a new package based on my experience:
A/ My extension is installed since years, undergone tens of upgrades and suddenly gets rejected ??
answer: review rules have changed, it has nothing to do with the little or big changes you have brought with the new version. Stop scratching your head and audit your addon based on the new rules.
B/ Got the rejection message “Spam and Placement in the Store”
answer: there are a few reasons for that and you should review:
- an “icons” section is mandatory and should include at least BOTH 48x48 and 128x128 icons
- a couple of screenshots at least are necessary to be on the safe side.
C/ What should you absolutely check ?
answer: given the review time, make sure the zip file you upload is installable. Process for local/dev build is of course different from the distribution process and zip files may not load due to some stupid discrepancy. Make sure your zip file will install without error message by dragging it on your chrome://extensions page prior to upload.
D/ What are the typical things to avoid ?
answer:
E/ How to avoid using broad permissions
answer:
F/ How to deal with user data privacy ?
answer:addons are not different from websites and often send data regarding the user or what the user is doing with the addon. Data should be described in a data privacy policy and a link to the dedicated webpage associated to the developper account.
A common mistake is to associate the policy to the wrong account.
Regarding debugging, you may want your addon to send extensive logs to your backend especially during the early life. In this case, you should allow the user to opt-out at installation time with a specific dialog and of course describe this process in the privacy policy.
G/ Will publishing in unlisted mode ease the validation process ?
answer: not really, publishing unlisted results in your addon not searchable/advertised on the Chrome Web Store. However, your addon remains registered there and can be advertised from any website for installation. So basically it does not relax any security constraint.
H/ How long is validation process expected to take ?
answer: highly variable. Some complain about weeks, others about days. In my experience, initial registration is taking between 3 and 5 days.As any store, CWS has a process where a manual step can be added to the automatic review depending on the addon characteristics from a malignant perspective. Once my addons get registered, update publications takes about a couple of days.
I/ Is the google review process fault-less ?
answer: no, there are clearly cases where the process has failed and rejected unduly extensions. If after auditing your addon, you still feel there is no valid reason, you should reply to the rejection email. You can also submit an issue here. If your entire account has been suspended, you should file an appeal here.
J/ How to deal with review delays ?
answer:
Without betraying much of the secrets here is a list of questions you should consider before submitting a new package based on my experience:
A/ My extension is installed since years, undergone tens of upgrades and suddenly gets rejected ??
answer: review rules have changed, it has nothing to do with the little or big changes you have brought with the new version. Stop scratching your head and audit your addon based on the new rules.
B/ Got the rejection message “Spam and Placement in the Store”
answer: there are a few reasons for that and you should review:
- in your manifest file
- an “icons” section is mandatory and should include at least BOTH 48x48 and 128x128 icons
- on your CWS registration information
- a couple of screenshots at least are necessary to be on the safe side.
C/ What should you absolutely check ?
answer: given the review time, make sure the zip file you upload is installable. Process for local/dev build is of course different from the distribution process and zip files may not load due to some stupid discrepancy. Make sure your zip file will install without error message by dragging it on your chrome://extensions page prior to upload.
D/ What are the typical things to avoid ?
answer:
- Google people have become very reluctant with javascript import. Do not use eval() on code coming from outside the addon package.
- If you are re-using javascript code from other people which is not a well advertised module (like jquery or underscore etc..), don't use minified version. Allow the google reviewers to understand the code.
- Code obfuscation is not accepted anymore although minification is tolerated.
- Manifest permissions: you should NOT plan for the future and include unused chrome APIs, restrict to minimum viable. Also avoid as much as possible broad permissions which provide addons with a potential tremendous malignant power. Also do not repeat API names in the permissions section.
- Don't submit swiss-knifes addons addressing disparate requirements: Google requires single purpose and will reject your addon!
E/ How to avoid using broad permissions
answer:
- first of all, some extensions can’t do without, they fall into the category which enhance the browser across the board (typical are password managers and security addons).
- for others, you may use the activeTab permission.
F/ How to deal with user data privacy ?
answer:addons are not different from websites and often send data regarding the user or what the user is doing with the addon. Data should be described in a data privacy policy and a link to the dedicated webpage associated to the developper account.
A common mistake is to associate the policy to the wrong account.
Regarding debugging, you may want your addon to send extensive logs to your backend especially during the early life. In this case, you should allow the user to opt-out at installation time with a specific dialog and of course describe this process in the privacy policy.
G/ Will publishing in unlisted mode ease the validation process ?
answer: not really, publishing unlisted results in your addon not searchable/advertised on the Chrome Web Store. However, your addon remains registered there and can be advertised from any website for installation. So basically it does not relax any security constraint.
H/ How long is validation process expected to take ?
answer: highly variable. Some complain about weeks, others about days. In my experience, initial registration is taking between 3 and 5 days.As any store, CWS has a process where a manual step can be added to the automatic review depending on the addon characteristics from a malignant perspective. Once my addons get registered, update publications takes about a couple of days.
I/ Is the google review process fault-less ?
answer: no, there are clearly cases where the process has failed and rejected unduly extensions. If after auditing your addon, you still feel there is no valid reason, you should reply to the rejection email. You can also submit an issue here. If your entire account has been suspended, you should file an appeal here.
J/ How to deal with review delays ?
answer:
- The ideal solution consists in hosting yourself the addon but it requires all your users to belong to the same enterprise google domain.
- During development, exchanges between devs and QA are very frequent .and you can't afford to distribute and waiot for the web store reaction. In this case, you'll need to distribute the zip files to your QA people. They will install it quickly in dev mode by dragging the zip file on the chrome://extensions page.
- In cruise mode, 5 to 7 days turn-around for an update is a difficult thing to work with and there is no magic wand. You may want for each addon to register 2 samples on the store, a stagging one and a production one. At that point, you first validate major updates on the stagging one with a friendly users base and you propagate the change to your production addon once it has given satisfaction.
K/ Can my addon eval remote JS code ?
answer:
L/ Where can I find the related chrome policies ?- in theory yes, although Google clearly indicated that those extensions would be thoroughly reviewed and monitored. This is clearly a potential gigantic security breach since addon designer could change dynamically the behavior and could turn it into malignant activities.
- so your extension will definitely go sooner or later into the manual review pipe (with a a potential turnaround of 3 weeks) at each upgrade.
- and you'll have to provide justifications... and keep in mind single purpose concept !!
answer:
M/ Where to find extra information ?
Comments
Post a Comment