14

I'm currently developing a Chrome extension and planning to publish it on Chrome market. I'm aware of open-source community benefits, however, do not want to share the source code and a bit worried about copyrights. Currently, the plan is to minify and obfuscate the source code before publishing. So the questions is:

Does Chrome Market accept extensions with minified and/or obfuscated source code?

Thanks in advance! :)

Josh Lee
  • 171,072
  • 38
  • 269
  • 275
Stanislav Tsegelnyy
  • 141
  • 1
  • 3
  • My extension got "Taken Down" status, I suspect it was marked by bot for having minified code. Experience with chrome webstore support team was frustrating - still waiting for any answer. Requirement of "no obfuscated or minified code" is ridiculous - imagine if all platforms required the app's to be open-source. – Be Kind Jul 19 '18 at 05:54

4 Answers4

15

Any existing answers above have been rendered obsolete by the terms change on January 1st, 2019. This change was announced on October 1st, 2018.

In summary:

  • Google Allows minified code.
  • Google disallows obfuscated code.

The specific policy, available at https://developer.chrome.com/webstore/program_policies, is as follows:

Developers must not obfuscate code or conceal functionality of their extension. This also applies to any external code or resource fetched by the extension package. Minification is allowed, including the following forms:

  • Removal of whitespace, newlines, code comments, and block delimiters
  • Shortening of variable and function names
  • Collapsing files together
Community
  • 1
  • 1
Brian
  • 25,523
  • 18
  • 82
  • 173
  • 6
    how can we protect our code then? what if we are selling the extension? is just easy as download the extension (there are extensions for this) and just change the "if" line, or block the validation request – Enrique Jul 20 '19 at 12:20
  • 3
    @Enrique: move all your know-hows to the server and make the extension exchange messages with server. At least that's how we are doing it. It will not save your background.js code, nor content script code - but that's at least somehting. – avalanche1 Nov 09 '19 at 19:51
  • 1
    @avalanche1: I'll note that Google is slowly adjusting their terms to disallow extension authors to move their extension logic to their server. Quoting the latest policy's new Manifest V3 policy: "The extension may reference and load data and other information sources that are external to the extension, but these external resources must not contain any logic. – Brian Mar 04 '21 at 22:46
  • 3
    @Enrique: Google's intent is to write a policy which requires all extension code to be exposed. Under such a policy, it impossible to mechanically protect your code (though you can still protect it via copyright). Any scenarios which do allow you to protect your code are essentially loopholes which Google will eventually close. Google is basically saying, "in order to protect our users, we want all extension functionality to be transparent." – Brian Mar 04 '21 at 22:51
9

2019 Update:

Google allows minified code, but not obfuscated one. See Brian's answer

Original answer:

Yes, you can use obfuscation tools (like jscrambler) before publishing your extension. I don't know if that may delay the publishing time, but I know for sure that are some published Chrome extensions with obfuscated/minified source code.

I, for instance, minify the code of my extension (LBTimer) with Google's Closure before publishing it.

Iván Nokonoko
  • 4,888
  • 2
  • 19
  • 27
  • How did you address the issue of Closure renaming variables in the chrome.runtime messaging functions? I've tried it with Closure and it broke all the messaging functions. – Tom Nov 11 '17 at 08:34
  • @Tom Use "simple" optimization instead of "advanced". This way it will not rename the global variables like `chrome.` APIs. – Iván Nokonoko Nov 12 '17 at 10:02
  • yes I am using simple optimization - there's something else going wrong and I'm struggling to find it. All my code is ES6 so Closure is transpiling into ES5 when I use the API, which makes it a bit hard to track down. At the moment, my principal suspect is the sendResponse function, which works like a promise but does not look like one. – Tom Nov 12 '17 at 11:19
  • Hi, Please could you edit this answer to remove the original. When I google "Can I obfuscate a chrome extension", it gets the text from the original rather than the recent update. – Conor Reid May 25 '22 at 14:40
6

It looks like they don't approve minified and obfuscated code. You can check thread on the Chromium Google Group, from April '16.

https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/1Jsoo9BPWuM

No, you cann't. This is email I received from Google Chrome Team: All of the files and code are included in the item’s package.

  • All code inside the package is human readable (no obfuscated or minified code).
  • Avoid requesting or executing remotely hosted code (including by referencing remote javascript files or executing code obtained by XHR requests).

You can get a more specific answer if you contact the Google Chrome team.

Community
  • 1
  • 1
mcastilloy2k
  • 478
  • 7
  • 9
  • 2
    Ivan's answer is correct. This one is not- I just checked LBTimer's source code and it is indeed minified – zzzzzzz Mar 06 '17 at 00:02
  • the terms stated indicate: `All code inside the package is human readable (no obfuscated or minified code).` they reserve the right to make exceptions, but this is not expected. – brianyang Nov 08 '17 at 21:02
  • it's quite controversial from what I've found so far and it seems the answer is not quite correct. At least "void requesting or executing remotely hosted code" is not applicable for extension as per google's FAQ on extensions (maybe it used to be but not at the time of writing the comment). Check my answer below for more details. – vir us Mar 27 '18 at 10:01
4

Update with own experience:

I wasn't able to submit a build obfuscated with this javascript-obfuscator (more specifically, gulp version in my case) They were complaining about "your code is suspicious" so I guess something triggered an alert in their system.

However uglyfy worked for that - I still had to figure out a way to rename all the prototype functions as uglify doesn't seem to do that (or at least I wasn't able to find a way to do that)

Original answer:

To sum up, it seems like chrome extensions are allowed to be minified and obfuscated.

For more details, keep reading.

First of all, there are two different terms - chrome extension and chrome app and different rules applies based on that. Chrome app has more strict requirements and it seems like mcastilloy2k's answer is suitable for chrome app (at least it looks like it is based on the available policies for both).

And regarding the below google's answer:

  • Avoid requesting or executing remotely hosted code (including by referencing remote javascript files or executing code obtained by XHR requests).

If it's for chrome extension and not for chrome app that seems strange as per the extension FAQ from google which explicitly states that extension is allowed to make external requests to execute custom API aka 'remotely hosted code':

Capabilities

Can extensions make cross-domain Ajax requests?

Yes. Extensions can make cross-domain requests. See this page for more information.

Can extensions use 3rd party web services?

Yes. Extensions are capable of making cross-domain Ajax requests, so they can call remote APIs directly. APIs that provide data in JSON format are particularly easy to use.

Can extensions use OAuth?

Yes, there are extensions that use OAuth to access remote data APIs. Most developers find it convenient to use a JavaScript OAuth library in order to simplify the process of signing OAuth requests.

Another discussion in this google groups thread shows that rejection might not be connected with obfuscation at all:

Eventually, these are the things I needed to do to get my extension passed (but I keep my fingers crossed in case some other validation test still has to be performed):

  • I created a privacy policy and added a link to it on the Google Chrome developer dashboard.
  • I explained in more detail what my extension is doing. It seems that Google needs this to have a better understanding of the extension.
  • In the description I explicitly stated how the extension handles personal or sensitive user data.

Eventually that was enough to get the extension pass the checks even with minified & obfuscated code (but remember I keep my fingers crossed).

Moreover one can always go and check existing extensions out there, like Grammarly for example, who has obfuscated code (to some extent at least) and who uses external API.

vir us
  • 9,920
  • 6
  • 57
  • 66