I just recently submitted my first extension for review and had it rejected for this reason:
“We don’t allow add-ons to use remote images because they can create serious security vulnerabilities. Please insert those images locally from your add-on code.”
My addon turns Youtube into an audio only platform and overlays a thumbnail onto the Youtube player by creating an element and setting the .src to an image from the img.youtube.com domain
Example of the element created(from js) <img id="playerOverlay" src="https://img.youtube.com/vi/hTvJoYnpeRQ/maxresdefault.jpg" height="360" width="640">
My question is this:
- Is it really the case that I cannot use remote images what so ever?
- What is the security risk?
- Where is the policy documentation that forbids this?
- Is there an allowed alternative technique to use a remote image, for example something like "image downloaded as blob via XHR, converted to an extension URI and then injected as
<img src="moz-extension:...">
" OR encode the image into base64 and inject using<img src="data:image/jpeg;base64........."
- Is it true that not one firefox add-on references a remote image?(find this hard to believe)