Please sign in to comment.
remove ability to pull latest version of resources.txt from remote repo.
This is required as per Firefox extension reviewers. Mail exchange: ======== Reviewer: > Do I read the code correctly that you are executing remote JS by > downloading/updating from > https://raw.githubusercontent.com/uBlockOrigin/uAssets/master/filters/resources.txt > and injecting scripts in contentscripts.js? Me: > Yes, resources.txt contains scriptlets or other resources used to: > > - Minimize potential page breakage (e.g. google-analytics.com/ga.js); > - Defuse anti-blockers (e.g. bab-defuser.js); > - Defuse anti-blockers or minimize page breakage through redirection > (e.g. 2x2-transparent.png) > > This is not a new feature -- this is also part of the legacy version, > and I consider this is a major feature of uBO. Given how fast things can > change out there, this allows me to quickly push fixes when a new issue > is reported for a site without having to go through a full update of the > extension. Reviewer: > I am aware that this is not a new feature. I am unclear why it has been > allowed in the past, since it violates our policy about remote code > execution. I assume it was missed due to the fairly complex codebase. > > I can approve this version so you are not blocked on the migration, but > eventually, you cannot use functionality that executes remote code. > Since we're moving to a more automated review process, you will be able > to ship new versions without being blocked on a human review. Me: > Do I understand correctly that extensions such as TamperMonkey or > ViolentMonkey won't be allowed on AMO? > > Those extensions are even more permissive than uBO given a user can > import scripts from any source, while with uBO only scriptlets which are > part of the project are allowed. Reviewer: > The key difference between add-ons like Tampermonkey and uBO is that in > Tampermonkey, users are making an active and conscious decision to > download and execute that specific code. In uBO, the user did not > initiate that download/execution, nor are they even aware of it > happening. Me: > So users of TamperMonkey -- tech-savvy or not -- can download & inject > countless 3rd-party user scripts from countless authors, have them > update on their own automatically at regular interval with no user > intervention. > > On the other hand, it's not acceptable for me, the author of the > extension, who users implicitly trusted when installing the extension, > who is completely controlling and vouching for the content of > "resources.txt", to have this one 1st-party resource file to be > updated at regular interval with no user intervention. > > So anyways, what is expected from me at this point? Do I need to remove > scriptlet injection and resource redirection features? Do I need to > remove only the updating part of resources.txt? > >  key to core features of uBO (counter anti-blockers + page breakage > mitigations) and possibly an important factor in installing the > extension. ======== Now about this commit: the purpose of the code change here is to prevent "resources.txt" -- which is part of the package -- from being updated -- this applies only to the Firefox webext[-hybrid] version of uBO.
- Loading branch information...