Installation of unlisted add-ons

Hi folks,

A few months ago a new baby was born called “unlisted add-ons”.

Such add-ons are intended for hosting on non-AMO websites.

When trying to download XPI files from external websites, we get a warning

“Nightly prevented this site from asking you to install software on this computer”.

Users panic when they see this. They wouldn’t download this even if Angel Gabriel showed up.

Of course, this happens also on huge websites like download.com OR softonic.com.

My question: Is it possible to download the XPI file from AMO servers in order to prevent this issue? Otherwise, do you have any idea of how to let this baby live?

Cheers,
Larry P.

These are not new. Only Firefox spawning dumb messages is new.

All addons now have to be digitally signed by Mozilla. This happens automatically for addons hosted by AMO, but has to be done by the developer for addons which are hosted elsewhere. Trying to install an addon which is not signed generates the message you see, which helpfully gives you no information about why or what to do about it.

There are two things you can do about it. One is to bug the developer to get their addon signed. The second is to run a Firefox which will accept unsigned addons. Currently, the latest Firefox release is 44 and there is a preference xpinstall.signatures.required which can be set to disable the signing check. Starting in perhaps Firefox 46, this will not be possible in release and beta versions of Firefox to prevent people hurting themselves. Mozilla are still flailing about just how they will allow people to run unsigned addons, for example to develop them or run in-house proprietary software. I could tell you some of the ideas, but it might make you cry.

I refer to signed unlisted add-ons. These are add-ons which get signed by AMO.

The issue is that when trying to download it from server other than Mozilla, we get

“Nightly prevented this site from asking you to install software on this computer”.

It looks amazingly odd that after signing an add-on, it can’t be downloaded from elsewhere…

That’s just a bug. I’ve seen some discussion about what causes it, but I have no idea if anyone got to the bottom of it or whether it is fixed yet. Double check it really has been signed. You could also try setting the pref to ignore the signing check, just to see if that is the only problem.

Not sure if you’re referring to the dialog that asks users to first allow the site to install software on their computer. If that’s the case, it’s by design and has always been the case.

If this is a different error, we could use more details to figure out what’s wrong. I know there’s an issue when the file is hosted in a different domain than the one linking to the file. In that case, the solution is to host the file on the same domain.

When I try to download from here:

http://lipocodes.com/AdultWebsiteBlocker/offer_pro.html

Clicking on the link “Install add-on directly” (install XPI file),

I get the warning: “Nightly prevented this site from asking you to install software”.

What could be the reason?

Thanks for the help,
Larry

I don’t think this is a signing problem. I think this is a bug in Firefox. Installing by dropping a local file (or opening it from File->open or ctrl-O) shouldn’t generate this error, but it sometimes does in recent versions.

When you get the error, try navigating to a web page and try again. Or try using ctrl-O instead of drag’n’drop. I could have sworn I raised this as a bug but I can’t find it. If you can reproduce then I’ll definitely submit a bug report.

I repeat exactly the problem:

      When I try to download from here:

http://lipocodes.com/AdultWebsiteBlocker/offer_pro.html

Clicking on the link “Install add-on directly” (install XPI file),

I get the warning: “Nightly prevented this site from asking you to install software”.

What could be the reason?

Thanks for the help,
Larry

No need to get snippy. It doesn’t help that the first sentence of your post is just plain wrong. I thought there was some sort of new bug, but who knew you were just complaining about the way things are and have always been.

Jorge, I guess :slight_smile: He told you the answer. The warning is there by design and you are not supposed to get around it. This is nothing to do with signing. It has always been this way. It is intended to prevent accidental or drive-by installation of addons, and as in this case, the installation without warning of addons that have not been fully reviewed by Mozilla.

Sometimes I’ve run into this problem when testing my own add-on in a new Firefox profile. Then I’ve had success with playing with Preferences > Security > Warn me when sites try to install add-ons > Exceptions, such as adding http://* as an exception. I’m not 100% sure what I did exactly, but after messing with those options a bit I could install my add-on, do my test and move on. Hope it helps.

Thank you for your answer. The issue is that most users (from experience) just flee when whey come across the warning “Firefox prevented this site from asking you to install this software”.

So what are unlisted add-ons intended for if Firefox convinces users not to download them?

Thanks,
Larry

If you mean when you are installing from a local file, I don’t think anything you did adding exceptions actually made the difference. This happens sometimes, most frequently from chrome pages such as about:blank, and usually soon after Firefox has started. It goes away all on its own, usually just from loading a real web page. I’m guessing something in session store (or storage) isn’t initialised properly.

Hosting addons on your own servers long predates the current level of warnings and protection, so to some extent what they were intended for is no longer relevant.

There is a preference to completely turn off that warning, and exceptions can be granted for particular websites. This is not very helpful for you, but allows “more knowledgeable” users to bypass the nanny state and get on with their lives. It also allows corporate environments to configure Firefox to allow their own addons to be seamlessly installed.

In your case, the intention is quite deliberately to prevent users installing addons unless they are extremely sure they are safe and coming from a trusted source (or just plain click-happy). You can educate users about what to expect, but not much more. If you are so certain that the addon is entirely “safe” then you can host it at AMO and direct users to there so they can install without seeing any warnings. For the moment that probably isn’t an option. Your business model appears to be (default on) popup advertising and that will be very difficult to get fully approved at AMO.

https://blog.mozilla.org/addons/2015/11/10/promote-your-add-ons-with-the-get-the-add-on-button/

I notice you changed your page so it triggers a download instead of an install. Can you create a second page for the install so I can give it a look and see if there’s a bug worth filing?

I changed it. Please view http://lipocodes.com/WebsiteBlocker/offer_pro.html

The issue is that most users see the warning “Firefox prevented this site from asking…” and just flee the website. I just can’t figure out why Firefox shows such a warning regarding a signed add-on.

Best regards,
Larry P.

Ah, well, that’s because only AMO is allowed by default and we don’t make a distinction between add-ons that have been reviewed vs. the ones that are automatically signed. Maybe the new WebExtensions API will allow us to be more lenient about self-distribution, but right now add-ons have too much power to be installed without severe warnings.

@lipocodes I am trying to self host a signed XPI file but unable to do so. Here is my exact description (http://stackoverflow.com/questions/40090923/how-to-self-host-a-mozilla-web-extension). Can you please share some pointers ?

Hi,
Mozilla created this figure because they don’t want to encourage people download self-hosted add-ons. There’s nothing you can do about it.
Larry P.