Hidden Add-on Listing like in Chromestore?

How can I publish a limeted audience add-on without any warnings for my users?
I don’t want that warning: “Firefox prevented the site from asking you to install software”. I can’t allow our download location on every firefox client.
That’s why I tried to publish it via AMO.
But your reviewers say:
“Due to the limited/non-public audience of this add-on, this add-on is not suitable for being listed. Please submit a self-hosted version and distribute the signed file yourself.”

The Google Chromestore makes this better with a hidden listing and “private” Links.

Do you have any suggestions?

Thanks a lot.

The Add-ons site allows an “Experimental” designation, but that may still be for extensions of broader interest than yours. ?? You’ll find the checkbox below the Summary field on the submission form.

Hi @mpiblib, thanks for reaching out!

That doorhanger is the standard installation experience for non-AMO extensions and is intended to make sure that users understand they are installing third-party software and alert them of the potential risks of doing so. If the user clicks “Allow,” they are able to install the extension.

Starting with Firefox 68, the language of the doorhanger will change to:

00%20AM

… which we think is clearer and more user friendly. :slight_smile:

Firefox 68 is due to be released this week. We’d love to hear if this reduces confusion for your users.

1 Like

Hello @caitlin,

thank you very much for the information. The new doorhanger looks much better. We will see…
Nevertheless, isn’t it a bit inconsequent that there is no 3rd party warning if you open an XPI link from a mail or open it directly in Firefox?
I understand why this warning exist, but why you have to display them for add-ons that are already validated/signed? A release via AMO is also a 3rd party installation …without warning. :wink:
What argues against a “hidden display” via AMO like in Chromestore?
My point is that there should also be a way for non publicly listed, validated add-ons to be published without warning.

Listings on an official distribution channel, like AMO, have a certain legitimacy that users associate with them, regardless of them being hidden or more easily discoverable. If they are less discoverable, though, it also means that members of our community are less likely to find them and report any issues they discover in them. Hidden listings give unverified add-ons too much credibility and too little accountability, in my opinion. That may change in the future, but it’s one important reason AMO doesn’t handle listings that way.

1 Like

Did you read the thread? That’s not the point. Nobody wants add-ons to be published unverified on AMO.
I don’t care if it is publicly listed or not.
I want to publish a verified add-on that does not generate a warning that the installation or source is potentially dangerous.

There are no verified or unverified add-ons on AMO. AMO lists add-ons that pass some automatic checks, and they are spot-checked by humans after the fact. There’s no guarantee an add-on has been code-reviewed and we don’t make guarantees of safety.

There is a Recommended extensions program that is coming up that will address this issue, for a relatively small number of add-ons. They will be all code-reviewed and they will have a flag in their files indicating as much, so Firefox also knows they are Recommended.

As for the different install experiences on and off AMO, we’ve talked about drawing the line differently, like showing the additional warning for non-Recommended add-ons, but there are lots of variables at play for that and we don’t have concrete plans for changing it. For the time being, AMO and a couple other Mozilla sites are the only ones where you can install without the extra warning.

Semi-OT: If - as you say - add-ons are only spot checked, why does the release take several hours/days? Automatic verification and signing only takes a few seconds. My experience is that I have to wait for approval by human reviewers. Or do you mean that these reviewers don’t do a real code review, so they just do a formal review?

Well, that’s really ridiculous. So why isn’t there a warning that all add-ons (AMO and self-hosted) are potentially dangerous? If you can’t even guarantee that the released add-ons have been tested?

If it is really so - as you describe it -, then the procedure for the add-ons is very arbitrary.

So in summary, you’re saying that I’ve been bad luck and can’t do anything?!?

If - as you say - add-ons are only spot checked, why does the release take several hours/days?

First submissions (new add-ons) take about a day to pass review because of spam controls we recently put in place. Updates can take a couple minutes or a couple of hours. The delay has to do with how the process is implemented, but you’re right that the actual verification only takes seconds.

So why isn’t there a warning that all add-ons (AMO and self-hosted) are potentially dangerous?

Firefox prompts all users when installing an add-on, particularly showing the permissions required. We are working in adding more warnings for non-Recommended add-ons, but we need to balance being informative with being overly alarmist.

So in summary, you’re saying that I’ve been bad luck and can’t do anything?!?

If what you’re looking for is “How can I publish a limeted audience add-on without any warnings for my users?”, then yes, there are no good options available right now.