Does Chrome Market accept extensions with minified

2019-02-24 02:03发布

问题:

I'm currently developing a Chrome extension and planning to publish it on Chrome market. I'm aware of open-source community benefits, however, do not want to share the source code and a bit worried about copyrights. Currently, the plan is to minify and obfuscate the source code before publishing. So the questions is:

Does Chrome Market accept extensions with minified and/or obfuscated source code?

Thanks in advance! :)

回答1:

It looks like they don't approve minified and obfuscated code. You can check thread on the Chromium Google Group, from April '16.

https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/1Jsoo9BPWuM

No, you cann't. This is email I received from Google Chrome Team: All of the files and code are included in the item’s package.

  • All code inside the package is human readable (no obfuscated or minified code).
  • Avoid requesting or executing remotely hosted code (including by referencing remote javascript files or executing code obtained by XHR requests).

You can get a more specific answer if you contact the Google Chrome team.



回答2:

Yes, you can use obfuscation tools (like jscrambler) before publishing your extension. I don't know if that may delay the publishing time, but I know for sure that are some published Chrome extensions with obfuscated/minified source code.

I, for instance, minify the code of my extension (LBTimer) with Google's Closure before publishing it.



回答3:

Update with own experience:

I wasn't able to submit a build obfuscated with this javascript-obfuscator (more specifically, gulp version in my case) They were complaining about "your code is suspicious" so I guess something triggered an alert in their system.

However uglyfy worked for that - I still had to figure out a way to rename all the prototype functions as uglify doesn't seem to do that (or at least I wasn't able to find a way to do that)


Original answer:

To sum up, it seems like chrome extensions are allowed to be minified and obfuscated.

For more details, keep reading.

First of all, there are two different terms - chrome extension and chrome app and different rules applies based on that. Chrome app has more strict requirements and it seems like mcastilloy2k's answer is suitable for chrome app (at least it looks like it is based on the available policies for both).

And regarding the below google's answer:

  • Avoid requesting or executing remotely hosted code (including by referencing remote javascript files or executing code obtained by XHR requests).

If it's for chrome extension and not for chrome app that seems strange as per the extension FAQ from google which explicitly states that extension is allowed to make external requests to execute custom API aka 'remotely hosted code':

Capabilities

Can extensions make cross-domain Ajax requests?

Yes. Extensions can make cross-domain requests. See this page for more information.

Can extensions use 3rd party web services?

Yes. Extensions are capable of making cross-domain Ajax requests, so they can call remote APIs directly. APIs that provide data in JSON format are particularly easy to use.

Can extensions use OAuth?

Yes, there are extensions that use OAuth to access remote data APIs. Most developers find it convenient to use a JavaScript OAuth library in order to simplify the process of signing OAuth requests.

Another discussion in this google groups thread shows that rejection might not be connected with obfuscation at all:

Eventually, these are the things I needed to do to get my extension passed (but I keep my fingers crossed in case some other validation test still has to be performed):

  • I created a privacy policy and added a link to it on the Google Chrome developer dashboard.
  • I explained in more detail what my extension is doing. It seems that Google needs this to have a better understanding of the extension.
  • In the description I explicitly stated how the extension handles personal or sensitive user data.

Eventually that was enough to get the extension pass the checks even with minified & obfuscated code (but remember I keep my fingers crossed).

Moreover one can always go and check existing extensions out there, like Grammarly for example, who has obfuscated code (to some extent at least) and who uses external API.