Code is free of obfuscation and minification that hides logic

Why it matters

Chrome Web Store (chrome-cws-code-readability) prohibits obfuscated code — not minification for size, but intentional renaming and encoding that hides what the extension actually does. Extensions caught with obfuscated logic are removed from the store and may be permanently banned. From a user-trust perspective, an extension that hides its logic cannot be independently audited, which is a red flag for the millions of users who rely on community security reviews. ISO 25010 maintainability standards treat intentional obfuscation as a defect, not a feature.

Remediation

Use build tools that minify for size (terser, esbuild) but preserve readable source. Never use obfuscators like javascript-obfuscator or similar tools.

// BAD — obfuscated: hides logic from auditors and the store
const _0x4a2c = ['settings']; function _0x2b(_0xc) { return _0x4a2c[_0xc]; }

// GOOD — minified for size but readable before build
const configKey = 'user-settings';
function updateConfig(newSettings) { /* ... */ }

Provide source maps (.map files) alongside your production build so reviewers can inspect readable code. If your build pipeline produces unreadable output, check whether your bundler config has an obfuscation plugin enabled.

Detection

ID: extension-store-readiness.policy-compliance.code-not-obfuscated
Severity: high
What to look for: Scan the extension's source code files (JavaScript, TypeScript) for signs of deliberate obfuscation: heavily renamed/minified variables, packed code, base64-encoded logic, or complexity that suggests hidden behavior. Minification itself is acceptable (gzip/terser) if the source code is readable and maintainable. Look for intentional obfuscation patterns.
Pass criteria: Count every JavaScript/TypeScript source file. Code is readable and maintainable across 100% of source files. Variables have meaningful names. Logic is transparent and not intentionally obscured. Some minification for production builds is acceptable.
Fail criteria: At least 1 source file contains deliberate obfuscation patterns designed to hide functionality (not just minification for size reduction).
Skip (N/A) when: Never — code transparency is a Chrome Web Store requirement.
Detail on fail: "Script files contain heavily minified code with no corresponding source maps or readable source" or "Base64-encoded strings that decode to executable logic detected in background script".
Remediation: Use build tools that minify for size (terser, esbuild) but preserve readability in development. Avoid intentional obfuscation:
```
// BAD: Obfuscated
const a=_0x4a2c('0x1'); function b(_0x2c){}

// GOOD: Readable
const configKey = 'user-settings';
function updateConfig(newSettings) {}
```
Provide source maps or readable source code for auditing.

Why it matters

Remediation

Use build tools that minify for size (terser, esbuild) but preserve readable source. Never use obfuscators like javascript-obfuscator or similar tools.

// BAD — obfuscated: hides logic from auditors and the store
const _0x4a2c = ['settings']; function _0x2b(_0xc) { return _0x4a2c[_0xc]; }

// GOOD — minified for size but readable before build
const configKey = 'user-settings';
function updateConfig(newSettings) { /* ... */ }

Detection

ID: extension-store-readiness.policy-compliance.code-not-obfuscated
Severity: high
What to look for: Scan the extension's source code files (JavaScript, TypeScript) for signs of deliberate obfuscation: heavily renamed/minified variables, packed code, base64-encoded logic, or complexity that suggests hidden behavior. Minification itself is acceptable (gzip/terser) if the source code is readable and maintainable. Look for intentional obfuscation patterns.
Pass criteria: Count every JavaScript/TypeScript source file. Code is readable and maintainable across 100% of source files. Variables have meaningful names. Logic is transparent and not intentionally obscured. Some minification for production builds is acceptable.
Fail criteria: At least 1 source file contains deliberate obfuscation patterns designed to hide functionality (not just minification for size reduction).
Skip (N/A) when: Never — code transparency is a Chrome Web Store requirement.
Detail on fail: "Script files contain heavily minified code with no corresponding source maps or readable source" or "Base64-encoded strings that decode to executable logic detected in background script".
Remediation: Use build tools that minify for size (terser, esbuild) but preserve readability in development. Avoid intentional obfuscation:
```
// BAD: Obfuscated
const a=_0x4a2c('0x1'); function b(_0x2c){}

// GOOD: Readable
const configKey = 'user-settings';
function updateConfig(newSettings) {}
```
Provide source maps or readable source code for auditing.

Code is free of obfuscation and minification that hides logic

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Code is free of obfuscation and minification that hides logic

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History