After my countless back & forth with CWS review team, I've observed the following:
1. They use a code scanner that appears to stop after the first couple violations, so you won't get a full list of all the violations, which is what contributes to the time-consuming submit-reject-appeal-reject-refactor vicious cycle (CWS review hell).
2. Even though they allow minification with mangling option, there are undocumented asterisks attached. So far I've gathered the following:
* You cannot assign strings to variables if it produces code that's "hard for humans to read". A concrete example they gave is `ua('readableString')` = allowed code and `ua(xA)` = not allowed. This suggests they generally frown on mangled variables used as function arguments when calling the function.
* You cannot mangle native properties such as "innerHTML" in `menu.innerHTML` --> `bz[Lt]`.
3. You'll also likely get rejected if the messages.json file contains strings that are not user-facing, which means you can't stuff it with URLs and other things that belong in code.
Google is under tremendous pressure to get their malware problem under control, so I get the intent of these draconian measures. However, what seems to be lost is this irony: by forcing all extensions to have human-readable code, it only makes it easier for bad actors to steal the codes and introduce more malware to the internet. WASM might help in the future, but I'm not holding my breath.
Looking at the big picture, I think Google has a lot of other issues they need to resolve with the CWS (e.g., see
https://palant.info/2025/01/13/chrome-web-store-is-a-mess/). In order to get out of CWS review hell, we're planning to undo all of our optimizations and move as much code to the cloud as possible so we get some control back.