Pending review vs. frequent extension updates during development

[Daniel F]

Hi,

I have two extensions which are currently pending a manual review.

According to the FAQ, this can take up to 5 working days. I published one on the 15th and one on the 16th which is 3-4 days.

This is ok, I don't have any problem with the manual review of potentially unsecure extension, as this is for the benefit of us all.

My extensions are potentially unsecure, this is because I am currently only developing them. They are not released to the public, but only to 3 trusted tester email addresses, which are all owned by me.

A couple of months ago I posted this question to StackOverflow --- Chrome extension warning, tutorial for unpacked extension on windows ( http://stackoverflow.com/questions/36217653/chrome-extension-warning-tutorial-for-unpacked-extension-on-windows ) --- because I was/am always getting this popup.

So, starting last week, as the development of my project is advancing and now focusing on the extensions, I decided to publish them to the store (only to the trusted testers) in order to remove this popup. Since I'm currently editing the extension code pretty heavily, it is pretty difficult to release a new version every couple of hours/every day, which is why I opted of using an iframe in the extension popup, so that I can develop the code on my server without needing to republish the extension for every small change. The code is working well, the page in the iframe is even capable of resizing the popup, and I'm also planning for the iframe to be able to have the background.js do an ajax operation for it, by pushing data from the iframe to the background script. Maybe at some future point in time the iframe page will get bundled entirely with the extension.

The iframe currently only loads successfully when the user is logged in into the backend, which is determined by a cookie session variable. This means that the reviewer won't see anything useful, as I haven't yet developed code for the scenario where a user is not logged in. This will require changes in the extensions as well as in the iframe page.

So, since now my extensions are getting reviewed on every new upload, which takes a lot of time, I'm kind of in a problem here. I'm also a bit worried that this constant manual review will annoy a googler. It is an account that is in good standing, has published a very successfull and helpful Web App a couple of years ago, so I hope that nothing bad happens.

I could adjust my code to be less insecure, but I don't know that is being expected from me. The last change I made was to restrict the permissions to 4 https domains, down from a pure wildcard https domain, where two of them are CDN's, (Google's JavaScript CDN, and cdnjs.cloudflare.com) One the remianing two domains is one that will be used in a couple of months when the project gets released and the other one a shortcut domain which is currently used for development. Both domains are currently only returning a white page with a timestamp unless a very specific URL is being targeted. I published one extension with this new restriction, but at the same time bundled momentjs and angularjs libraries (minified), then it got sent to manual review and I unpublished it, because I wanted to make further changes. The other one I also unpublished because of changes, but since then I am unable to publish any new version since they are both pending review and there is no edit button avaliable.

So, I'm asking myself what I can do about it.

Thanks for taking the time to read this,

Kind regards,

Daniel Faust