Self-hosted Firefox extension install flow is broken on Firefox 100 & 101 beta

Hello!
We distribute Firefox add-ons on PC and macOS outside of Mozilla store.

Until Firefox 100.0 our users were able to install the add-on by clicking a button on the product side which was opening a link to XPI file hosted on our company’s download server. That was triggering a usual install dialog from Firefox where it asks user to confirm the installation.

Starting from Firefox 100.0 this stopped happening and we started receiving numerous support calls from our customers about not being able to install the add-on. The issue now is that when the XPI link is opened in Firefox, the install dialog does not appear which brings a lot of confusion to the user. Firefox shows the link to the XPI in the address bar but does not start the usual install process (attaching screenshot of how it looks like on my Mac). The issue applies to both macOS and Windows platforms. I’ve opened a bug case on bugzilla. The link for reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1766965

The issue can be reproduced by running “open -a Firefox <link_to_XPI>” on macOS

Could someone please clarify how we should proceed with this issue? We are now getting reports of this issue from many of our customers. Thank you.

Found this message in the browser log

[Exception... "https://download.sp.f-secure.com/firefox-extension-install/beta/browsing-protection.firefoxextension.xpi install cancelled because of missing user gesture activation" nsresult: "0x0 (NS_OK)" location: "JS frame :: resource://gre/modules/amContentHandler.jsm :: handleContent :: line 51" data: no] amContentHandler.jsm:51:32 handleContent resource://gre/modules/amContentHandler.jsm:51

So sounds to me that it’s exactly about the changes in the self-hosted extension install process in the recent email. And indeed in our case, the user does not click on the link. The main product opens the link in Firefox and expects it to start the install process.

So in the essence, it is a user initiated action (user clicks on the button in the product UI) but Firefox only allows direct user click on the link to XPI which is a bummer if I understand the situation correctly.

I guess it means that Firefox can only determine it was user-initiated if you serve a web page and the user clicks a link in the page.

1 Like

yeah… that was my understanding so far as well. so from Firefox point of view, it’s not a user initiated action (but it is though). So the only flow which can be validated is a click on the link inside the browser which makes sense.

got an update on the Bugzilla case. Indeed, this is intended behavior.
click on the XPI link = User initiated action
opening XPI link outside of Firefox using system command line tools / APIs = non user initiated action