[Blog post] Firefox to discontinue sideloaded extensions

Sideloading is a method of installing an extension in Firefox by adding an extension file to a special location using an executable application installer. This installs the extension in all Firefox instances on a computer.

Sideloaded extensions frequently cause issues for users since they did not explicitly choose to install them and are unable to remove them from the Add-ons Manager. This mechanism has also been employed in the past to install malware into Firefox. To give users more control over their extensions, support for sideloaded extensions will be discontinued.

Read more on the Add-ons Blog >>

So just to verify that I’ve understood this correctly - with this change there will be no way for us to automate the installation of extensions in an enterprise estate?

You system administrator can set addons to be installed/uninstalled/locked on client PCs via GPO. For more details:

But you need to pay attention that addons installed in this way are placed into each user profile. On sideloading you just need to replace installed XPI file to update addons. On the other hand, on this new way it is hard to replace XPI files installed into user profiles. Thus you need to provide your custom update information for the addon on your website (or somewhere).

Ok, so can that install/update URL be an URL pointing to AMO? I.e. still distribute/update it via AMO, but automate installation via GPO?

What about Linux distributions like Debian where it is possible to install extenstions via package manager? Locking extensions installation to AMO-only is a path to vendor-locking.

If you don’t include update URL in the manifest.json of an addon, Firefox fetches update info for it from AMO.

Great, thanks. Seems we have a way forward then.

The blog post only mentions sideloading by adding the extension file to a special location. What about other installation methods, like “Install Add-on From File”, dragging and dropping an .xpi file in the Firefox window or running “firefox.exe extension-file.xpi” from command line? Will these flows be affected?

They should continue to work as they do today.

Dear @caitlin! Can you confirm that discontinuing sideloaded extensions are still planned for FF-73 and FF-74 as stated in the blog?
I just downloaded FF-73 (Beta) and it seems to behave like FF-72 again. Some weeks ago, my sideloaded extension was moved into profile as described in the bog.
FF-74 also behaves like FF-72 on the yesterdays nightly.
I would need to update/test my extensions before the sideload limitation gets live with FF-73/74.

Hi @pblai, thanks for reaching out! Yes, we are still planning to stop supporting sideloading with Firefox 74. There was a bug in some of the Nightly builds last weekend that are currently being fixed; hopefully you should see the correct behavior tomorrow or the day after.

Hi @caitlin! Just updated to FireFox 73 Beta 10, which is supposed to copy sideloaded extensions to the profile. Since FF 73 gets released in two weeks, do you have any hint on the schedule of this feature?

Hey @pblai! If you’re currently running Firefox 73, you should already be seeing the expected behavior. Are you seeing something different?

Many thanks for your reply @caitlin and special thanks for confirming that that the feature described in the blog is available in FF 73.
I probably do something wrong or expect something wrong. Please allow me to describe my case to verify.
Our solution registers a registry key HKLM\SOFTWARE\Mozilla\Firefox\Extensions [REG_SZ] extensionid=c:\ProgramData\product\FFXPI\extension.xpi.
Extension gets installed and asking the user to activate it. This works without problems since years. If I got the blog correctly, FF73 is now copying the extension to
the users profile. As a side effect, the button “Can’t be Removed” in the FF Extensions tab changes to “Remove” and the extension.xpi appears in the
profile’s extension subdirectory. In my impression the FF beta(s) from before the new year behaved exactly in that way but I didn’t see it in any beta from the new year.

Do you have any idea what I do wrong? I could provide you with links and test packages if that helps! Please have a look; I appreciate your assistance.

Hi @pblai, sorry for the inconvenience and thanks for your patience. I checked in with our engineering team today and learned that we have decided not to copy sideloaded add-ons to user’s profiles as part of our plan to remove support for sideloaded extensions. Like you noticed, there will be no changes to sideloading in Firefox 73. In Firefox 74, extensions won’t be able to be installed outside of the user’s profile and users with previously sideloaded extensions will be able to remove them from the Add-ons Manager in Firefox.

I sincerely apologize for the confusion! Please let us know if any more questions come up.

Hi @caitlin! Many Thanks for clarifying! Regarding the part “users with previously sideloaded extensions will be able to remove them from the Add-ons Manager”. Did I get that right that sideloaded extensions are still active in FF74 in case they were added to the registry before update to FF 74 appeared? Please confirm or deny. Many Thanks!

Correct! These extensions will still be active.