Dev account blocked after Google failed to correctly identify own policies

310 views
Skip to first unread message

viktor stolbin

unread,
Mar 4, 2017, 2:41:07 PM3/4/17
to chromium-...@chromium.org
Hope this email finds responsible people.

I got one of my extension taken down 3 days ago for reason 'suspicious code' and 'executing scripts obtained by XHR requests'. I removed features that were using XHR requests because I always try my best to comply with Store policies. However it was taken down again for the same reason. Then I removed Google Analytics code because it was the only script obtained from remote server. I was very surprised couldn't believe Google is blocking its own products. This time I also submitted claim to support and it resulted with automatically generated reply saying that after review they found execution or remote script in one of my particular scripts. The only thing that script does - parsing URLs to extract hostname, parameters and etc. More over, that script was taken from Stack Overflow. I attached a screenshot of the script. Please look into it and tell me where XHR request could be found? This is quotation from the reply:

Your item was found to have requested/fetched one or more external scripts. An example of one such instance in your item was found in scripts/tools.js.

I already submitted appeal as this is clearly a mistake made by people doing review, or automated tool used for that has given a false positive result.

Google Support, please, pay attention to this case and take appropriate actions to reinstate my account and fix the automated tool, that cannot distinguish executing remote script and parsing URL.

Thanks!
Screen Shot 2017-03-04 at 2.20.56 PM.png

viktor stolbin

unread,
Mar 5, 2017, 7:37:47 AM3/5/17
to Chromium-Extensions-Announce
How come after careful reviews Google have taken 2 opposite decisions? This is not a game to roll dices.
After my account was suspended I replied on the initial email 'RE: [7-8527000016148]' to seek an appeal as it has all technical details about script and I can attach a screenshot with the code. And Google denied to reinstate it. However, I also appealed using contact form, where I put same details but couldn't attach a screenshot, and I received reply: 'RE: [5-5890000016340] We've carefully reviewed your case and will immediately re-instate your developer account.' Unluckily (really, should I rely on the luck here?), Google have replied on last email too with denial and after being re-instated account was suspended again!
Please, take this review seriously. This is clearly a fault of reviewer to distinguish innocent parsing of a string and executing of remote script. And this is not a place to take random decisions. Please, take responsibility to admit reviewer has failed, the account was suspended in error, then re-instated, but got suspended again, because another reviewer cannot complete review objectively.

Федор Сумкин

unread,
Mar 29, 2017, 12:44:22 PM3/29/17
to Chromium-Extensions-Announce
I got the same message and even after replacing all occurences of

chrome.tabs.executeScript(tabId, { code: str });

with

chrome.tabs.executeScript(tabId, { file: "file.js" })

my extension was rejected. What could be the reason?

Florian Tanay

unread,
Apr 8, 2017, 7:25:47 AM4/8/17
to Chromium-Extensions-Announce
Same here...
But Viktor, you are lucky : Google give you the suspect file.

The email they send to me is very ... generic : 
During the course of a review, your item was found to be suspicious and has requested/fetched one or more external scripts.
To have your item reinstated, please make any necessary changes to avoid requesting or executing remotely hosted code (including by referencing remote javascript files or executing code obtained by XHR requests).

I suspect this part of code but I don't see why it doesn't respect google policy as the execute code is static.

  chrome.tabs.query( {'active': true, 'currentWindow': true}, function(tabs) {
      chrome.tabs.executeScript(tabs[0].id, { code: 'document.querySelector("meta[property=\'og:title\']")[\'content\']' },
      function(results) {  $('#AjouterTitre').val(results);  });
    }); 

Федор Сумкин

unread,
Apr 25, 2017, 6:50:13 PM4/25/17
to Chromium-Extensions-Announce
Any news? They accepted my extension, then rejected the next version (although I didn't touch any code that could affect 'executing external scripts'). Are there some documentation or blog post with exhaustive list of 'dangerous' APIs that could violate this policy? Or are there any ways to get more detailed review?
Reply all
Reply to author
Forward
0 new messages