AJAX or Important Data/Scripts Issue

[DS Team]

Hi CWS Team and Developers,

Please help me understand and address this issue.

What happened?

The other day one of my extension was rejected and account suspected just because they could making some AJAX calls in my background.js and common.js scripts.

What is the fact?

It it is true, but we are just making one AJAX call to get some backup URLs/API Keys in background.js, and then another AJAX call in common.js to get simple notification data/json.  Since those API Keys are confidential we are just encrypting using simple encoding algorithm, then get/show notifications to use to update them about useful features and new changes etc.

So, isn't a really bad process and decision over it?.  Just because we make AJAX call and get some content doesn't mean those are scripts.  Those are absolutely not scripts. Even if scripts, its genuine use case where we need to load some utility scripts that supports some feature.  This is super basic use case across any standard chrome or web applications.  There are 100s of extensions, including top most ones does same process.  What is the big deal here?

At least, you should give the freedom to make AJAX calls, if not how we achieve or offer dynamic feature, notifications and support to users.  Do you want us keep updating extensions every time just because we got common/features data to share users, and your bots reject them as they fail to get difference in new code?

I do not understand from which background your CWS engineers coming from, but it is very very clear that none of you are understanding basics of web applications aspects that applies to extensions as well.  We do not have to waste so much time here if we are really intended to offer malicious extensions to users.  Because we want to give users best experience without making too many changes, but handle them via dynamic calls for content/links etc.  There are instances where we have to keep API keys and tokens as encrypted by using simple Base64 encoding format, if not users are just hacking them and stealing those important data.  How are you going to address this?  Your CWS team ever thought of supporting this basic confidential code aspects of extensions?

There are 1000s of extensions that I know personally which are many ways against your Program and TC policies.  So what is your company doing against them?  Many of your own extensions has obfuscated code and making similar calls and getting scripts dynamically.  So why are you not following your own guidelines?  Why putting contradicting rules to users?

If you still feel issue with those scripts, have you every tried installing those extensions and just see how it works with your open eyes without they causing any issues?  Why you are not applying your common sense here? If so, for god sake please do change your attitude towards validating extensions and change your policies understanding the basic use cases of how everything works.  Please STOP your bots doing validations and use your minds and help the developer community.  You may just need better/smart code that really detect what is malicious code and what not, then decide whether to publish or reject such apps.

I hope developer community support this and CWS team put appropriate fix and resolve to this asap!  Please help me understand if I am still missing anything.

- Thanks