Opera Rejecting Extensions With Minified Code (opens in new tab)

(leaptouch.com)

44 pointsgantengx12y ago42 comments

42 comments

36 comments · 17 top-level

serge2k12y ago· 5 in thread

The code is stored on device correct? Minifying makes no sense.

MurrayHurps12y ago

The code is loaded into every single page that is loaded. Memory usage and parsing time are affected.

eropple12y ago

This is a bad argument. They are affected by microseconds and kilobytes, in proportions insignificant compared to the memory usage and parsing time already required.

As you're the article author, if you're even remotely interested in being taken seriously (because right now there's less-than-no reason to) it behooves you to actually demonstrate a perf or memory delta that anybody would notice in the first place.

1 more reply

dspillett12y ago

Do you have any benchmarks to offer as evidence that the effect is significant?

I thought people minified code in extensions just for the two reasons: force of habit (they do it for all their JA that is served online) and obfuscation.

(not sure why you are getting downvoted: your point is valid, though probably insignificant)

janvidar12y ago

Not quite.

The code is compiled (once) and injected into all pages loaded. The minified code and original code will look exactly the same at this point unless the minify process does something really clever.

MichaelBurge12y ago

Is there something I'm missing, or should someone file a bug report with Opera if their lexer is taking noticeably more time and memory to strip whitespace?

1 more reply

zerovox12y ago· 4 in thread

This doesn't seem wildly unreasonable to me. If it allows them to perform a better review and check for malicious code before approving it, I'm all for it.

Perhaps Opera can perform the minification after reviewing the code and achieve the performance gains while still being able to prevent malicious code entering the store.

rogerbinns12y ago

I'm sure malicious code can be hidden in plain site anyway. Automated tools or human eyeballs won't spot it. For example here is the underhanded C contest demonstrating the principle with C http://underhanded.xcott.com/ (static analysis won't be possible on most JS code)

The only way to be sure is to implement a (bug free) sandbox that the code runs in, as then it won't matter what the code does.

adrianN12y ago

I guess you don't lock your front door because lock picking is straightforward?

While it is not possible to spot all malicious code by inspection, minification certainly makes the job much harder.

1 more reply

willvarfar12y ago

Yeah I wonder when the winners will be announced for this year's contest?

tagawa12y ago

Agreed. In the end he calls on Opera to "open the store up" but that has little to do with requiring non-minified code. Seems like he's just upset his extension go rejected.

PhasmaFelis12y ago· 4 in thread

I'm glad I'm not the only one who thought "good for Opera."

Obfuscated code is for competitions, not functional software. This is not 1978; the space savings from single-character variable names is not significant. (Or if it is, your code is way too heavy to be running in a browser extension.)

josteink12y ago

Yeah. As a developer, whenever I see minified code I cry.

It means I work with people who have no sense of reality, and it means all my debugging sessions are going to be way harder and much less productive.

That's a real loss for a fictional gain. Minifying needs to die.

njr12312y ago

In my experience minified js is 30-40% smaller, which can make a pretty significant difference in terms of load time. The debugging argument doesn't really make sense to me, since the code should only be minified in production anyway.

Still, in the case of a browser extension it wouldn't really make a difference since the files are coming from the disk.

1 more reply

Yaggo12y ago

Minifying production-deployed code is fine (although gzipping largely eliminates benefits of minifying). If the code is open-sourced, the unminified version is available. If not, the code is not meant to be debugged by you anyway. (I agree, the latter doesn't always apply in non-ideal world.)

raverbashing12y ago

More importantly, minifying has no effect on the performance of the app. (unless you're doing some smart stuff like what Google Closure does)

The Javascript engine will JIT it or at least use an intermediate representation as soon as it's loaded, rendering minified or regular code the same. Minifier helps with load times but extensions are local, (and the difference in time is really negligible this first time)

olalonde12y ago· 3 in thread

There is a lot of cargo culting going on in this thread. There are 2 reasons to minify Javascript code:

1) Protect your intellectual property by obfuscating code

2) Make web pages load faster by reducing the size of the Javascript file(s) to transfer

Minifying an extension won't make it run faster since extensions are loaded from memory or disk, not from the network (ok, maybe it will be faster by a few nanoseconds?). It could make the initial download of the extension faster but it's only a one time download. Therefore, the only valid reason to minify an extension would be #1. However, it seems Opera is more concerned by user security (it's much easier for a backdoor to go undetected in minified code) than protecting the IP of extension developers.

venomsnake12y ago

A source code is not valuable IP ... the people that wrote it are precious. Reading and understanding source code is so hard that it is often cheaper to develop from scratch if you are competitor.

There are exception of course ... but unless a team includes a few Carmacks and the likes its value is often overstated.

SchizoDuckie12y ago

1) Protect your intellectual property by obfuscating code

There is no protection in minifying an interpreted language. This is an invalid argument.

proexploit12y ago

No, it's not. It's not fool-proof but it makes it slightly more difficult for other developers to determine what's going on and it certainly makes code re-use harder. The effort that goes into examining obfuscated code is a deterrent.

1 more reply

Yver12y ago· 2 in thread

Ideally, I'd want every store to reject minified code but at the same time I'd want them to automatically minify extensions while making their full sources available as a separate download.

sitkack12y ago

Why is minification important in this case? How will it effect your execution of the extension?

claudius12y ago

Well, even though the extension lives on the local hard drive, it could still make loading it faster: At least with HDDs, people made experiments gzip'ing the Linux kernel in /boot (or parts thereof) and using the CPU to unzip it on load, which was faster than loading the uncompressed version (no source at the moment, sorry).

So since minified code shouldn’t even need uncompressing, I could imagine it to speed up the time it takes Opera to load the extension – if you always start a new browser if you want to go to a website, that might even make sense.

byoogle12y ago· 1 in thread

Actually, I think Opera has the same policy as Mozilla. If you reply to the reviewers (who are very responsive), they seem to let you minify as long as you show them the unminified sources.

Our extension (https://addons.opera.com/en/extensions/details/disconnect/) uses the minified versions of seven libraries, which are about half the size of the unminified versions. Why not give users a better experience by shaving a few seconds off the install time?

jffry12y ago

The blog post has been updated, and it seems Opera replied to that effect as well:

> Hi as I written before "We must be able to review the code in a reasonable manner", you can upload somewhere your not-minified code and give us a link to it, write what library are you using to minify and write a command which will minify your package. As fast as we read your code we will publish your extension.

dools12y ago

I don't think that minifaction will have an impact on execution time or memory usage will it? It's only advantageous to reduce total size of downloaded code, and total number of web requests to retrieve all the assets required for the page. I wouldn't think either of those things would matter in a browser extension.

jfoster12y ago

The Opera store looks incredibly similar to the Chrome Web Store, even down to the effect used to show more information when you hover over a tile.

https://addons.opera.com/en-gb/extensions/ compared with https://chrome.google.com/webstore

richo12y ago

Did they actually do any kind of benchmark to see if it affects performance?

The memory and parse time argument is invalid imo. Lexing a file with wildly abudant whitespace is going to take a delta longer that's insignificant compared to the parse time.

Loading it is normally a concern because of network bandwidth and latency, especially if it'll push you over MTU.

jorde12y ago

Mozilla does the same thing for Firefox extensions but the experience is much worse thanks to volunteer reviewers. This is of course not consistent and your extension can get rejected based on whatever obscure reason they might have: I once got hate as I used spin.js instead of a GIF loader animation. Believe me, Opera has it good.

otikik12y ago

Their house, their rules. And they don't sound so crazy to begin with.

sitkack12y ago

Extensions should be in the clear so we can see them. There is ABSOLUTELY no reason to minify an extension, they get downloaded once. In this scenario minification == obfuscation == something to hide.

antocv12y ago

"Is Opera saying they will do a comprehensive code review on every line of extensions submitted to their store? Will they require documentation on all design decisions and processes involved? What about any server-side code?"

Well, duh, yes they will do their best even if they may fall short. Props to Opera.

SchizoDuckie12y ago

Rejecting it for it might be a bit over the top, but I can imagine that minifiying and linting is just a part of your regular development process.

However, minifying is useless if there is bandwidth overhead (read: file:// URLs.)

I'm really sad though that there's even in the JS community people that are promoting micro-optimisations like they do in the PHP world..

Opera could just de-uglify the code (and even automate that). still a non-argument to decline a deployment IMO.

V-212y ago

If this is important, why couldn't Opera itself minimify the code when an extension is added?

abcd_f12y ago

> Is Opera saying they will do a comprehensive code review on every line of extensions submitted to their store?

Clearly, no. But they do probably want to check if your js might be pulling on some funny URLs behind user's back.

jnardiello12y ago

+1000 points for Opera.

j / k navigate · click thread line to collapse

42 comments

36 comments · 17 top-level

serge2k12y ago· 5 in thread

The code is stored on device correct? Minifying makes no sense.

MurrayHurps12y ago

The code is loaded into every single page that is loaded. Memory usage and parsing time are affected.

eropple12y ago

This is a bad argument. They are affected by microseconds and kilobytes, in proportions insignificant compared to the memory usage and parsing time already required.

1 more reply

dspillett12y ago

Do you have any benchmarks to offer as evidence that the effect is significant?

I thought people minified code in extensions just for the two reasons: force of habit (they do it for all their JA that is served online) and obfuscation.

(not sure why you are getting downvoted: your point is valid, though probably insignificant)

janvidar12y ago

Not quite.

The code is compiled (once) and injected into all pages loaded. The minified code and original code will look exactly the same at this point unless the minify process does something really clever.

MichaelBurge12y ago

Is there something I'm missing, or should someone file a bug report with Opera if their lexer is taking noticeably more time and memory to strip whitespace?

1 more reply

zerovox12y ago· 4 in thread

This doesn't seem wildly unreasonable to me. If it allows them to perform a better review and check for malicious code before approving it, I'm all for it.

Perhaps Opera can perform the minification after reviewing the code and achieve the performance gains while still being able to prevent malicious code entering the store.

rogerbinns12y ago

The only way to be sure is to implement a (bug free) sandbox that the code runs in, as then it won't matter what the code does.

adrianN12y ago

I guess you don't lock your front door because lock picking is straightforward?

While it is not possible to spot all malicious code by inspection, minification certainly makes the job much harder.

1 more reply

willvarfar12y ago

Yeah I wonder when the winners will be announced for this year's contest?

tagawa12y ago

Agreed. In the end he calls on Opera to "open the store up" but that has little to do with requiring non-minified code. Seems like he's just upset his extension go rejected.

PhasmaFelis12y ago· 4 in thread

I'm glad I'm not the only one who thought "good for Opera."

josteink12y ago

Yeah. As a developer, whenever I see minified code I cry.

It means I work with people who have no sense of reality, and it means all my debugging sessions are going to be way harder and much less productive.

That's a real loss for a fictional gain. Minifying needs to die.

njr12312y ago

Still, in the case of a browser extension it wouldn't really make a difference since the files are coming from the disk.

1 more reply

Yaggo12y ago

raverbashing12y ago

More importantly, minifying has no effect on the performance of the app. (unless you're doing some smart stuff like what Google Closure does)

olalonde12y ago· 3 in thread

There is a lot of cargo culting going on in this thread. There are 2 reasons to minify Javascript code:

1) Protect your intellectual property by obfuscating code

2) Make web pages load faster by reducing the size of the Javascript file(s) to transfer

venomsnake12y ago

A source code is not valuable IP ... the people that wrote it are precious. Reading and understanding source code is so hard that it is often cheaper to develop from scratch if you are competitor.

There are exception of course ... but unless a team includes a few Carmacks and the likes its value is often overstated.

SchizoDuckie12y ago

1) Protect your intellectual property by obfuscating code

There is no protection in minifying an interpreted language. This is an invalid argument.

proexploit12y ago

1 more reply

Yver12y ago· 2 in thread

Ideally, I'd want every store to reject minified code but at the same time I'd want them to automatically minify extensions while making their full sources available as a separate download.

sitkack12y ago

Why is minification important in this case? How will it effect your execution of the extension?

claudius12y ago

byoogle12y ago· 1 in thread

Actually, I think Opera has the same policy as Mozilla. If you reply to the reviewers (who are very responsive), they seem to let you minify as long as you show them the unminified sources.

jffry12y ago

The blog post has been updated, and it seems Opera replied to that effect as well:

dools12y ago

jfoster12y ago

The Opera store looks incredibly similar to the Chrome Web Store, even down to the effect used to show more information when you hover over a tile.

https://addons.opera.com/en-gb/extensions/ compared with https://chrome.google.com/webstore

richo12y ago

Did they actually do any kind of benchmark to see if it affects performance?

The memory and parse time argument is invalid imo. Lexing a file with wildly abudant whitespace is going to take a delta longer that's insignificant compared to the parse time.

Loading it is normally a concern because of network bandwidth and latency, especially if it'll push you over MTU.

jorde12y ago

otikik12y ago

Their house, their rules. And they don't sound so crazy to begin with.

sitkack12y ago

antocv12y ago

Well, duh, yes they will do their best even if they may fall short. Props to Opera.

SchizoDuckie12y ago

Rejecting it for it might be a bit over the top, but I can imagine that minifiying and linting is just a part of your regular development process.

However, minifying is useless if there is bandwidth overhead (read: file:// URLs.)

I'm really sad though that there's even in the JS community people that are promoting micro-optimisations like they do in the PHP world..

Opera could just de-uglify the code (and even automate that). still a non-argument to decline a deployment IMO.

V-212y ago

If this is important, why couldn't Opera itself minimify the code when an extension is added?

abcd_f12y ago

> Is Opera saying they will do a comprehensive code review on every line of extensions submitted to their store?

Clearly, no. But they do probably want to check if your js might be pulling on some funny URLs behind user's back.

jnardiello12y ago

+1000 points for Opera.

j / k navigate · click thread line to collapse