I have not actually tested this on ESR myself yet. But have you tried from the secure link. Instead of http://addons.mozilla.org/ Try https://addons.mozilla.org/ Normally once you have used a https link for a site you will get that in preference to a http link

Hello John,

it doesn't matter if it is a 'normal' version or an ESR version. It is always the same in this case.

It's always the 'https://addons.mozilla.org' site.

(Can't use 'http' for this site in the address bar, because after 'Enter' it is always 'https').

My way:

1. Write down the Url in the adress bar = addons.mozilla.org (...or use a bookmark as form me with https://addons.mozilla.org )

2. The presented site is always the secured site with 'https' =

    https://addons.mozilla.org/

3. Search - for example - for "Download Status Bar" (...it's a signed Add-On) or for example "NoScript"

4. A very short sequence I can see the Blue Button = 'Download for Windows' and 10 millisecond later there is always the Green Button with ' + Add to Firefox'.

So far so good:

5. Right Click (=Context Menu) to the Green Button 'Add to Firefox', then 'Save Link as...' -> choose a directory of your choice -> Save.

Consequence:

All of the 'downloaded files' have a size of 0 kb. There isn't a download ;-).

Exactly this way I can use up to version 31.8 (ESR) without any problems. Above this version (...the next one is 38.0.1) = no chance.

Yesterday I was trying also the newest 'official' version 44.0.2. = the same effect -> no possibility to download the xpi-file manually with 'Save Link as...'.

When I check the download list after using Save Link As, I see this URL:

https://addons.cdn.mozilla.net/user-media/addons/12021/form_history_control-1.4.0.4-sm+fx.xpi?filehash=sha256%3Aae421ade4005e5b12aa7c53cdc9f61cb53f61dfe3dd0e21cb64a1dd3a6c0d9c5

Some users have encountered errors when extension downloads are redirected to a different server, but I think this is the first time I've heard of an error with the official site.

But... do you want to try adding an "Allow" software download permission for that site? If so:

(1) Select and copy the following protocol and host name

https://addons.cdn.mozilla.net

(2) Open the Exceptions list here:

"3-bar" menu button (or Tools menu) > Options

In the left column, click Security. Then on the right side, click the Exceptions button to the right of "Warn me when sites try to install add-ons".

In the dialog box that appears, you can past the URL and click the Allow button to add an exception.

Does that let you download and save extensions?

Hello jscher2000,

what are the file size of the file 'form_history_control-1.4.0.4-sm+fx.xpi' after downloading this per Context-Menu 'Save Link as...'?

Hi JanetM., Windows shows me 489 KB as the file size.

Hello Jefferson,

thank you for your reply.

After 24 hours of installing and reinstalling different versions from 31 to 38 (ESR) and 44 i have found out with a header inspector that the Guys from the Firefox-Project have the sites '*.mozilla.org' -> CSP protected with newer versions of Firefox.

Therefore it's not possible to make a xpi download manually from the Mozilla Add-On "Store" in order to install these files later from a local directory.

I suppose it's not desired to showcase at this place "how to fix it" this feature .

Fortunately i was able to disable this ... thing.

Over the month i have to install numerous Workstations and don't have enough time to install required Add-Ons (...in the most recent version) with direct downloads over the Add-On "Store" on every machine separately .

Sure, it could be used the Sync-Account, but i hate cloud-based solutions, ... because no one knows the real owner of the infrastructure.

Thanks again for your efforts.

I don't understand why it isn't working for you, or why you think the CSPs are relevant to downloads. What am I missing here? If you want to send the information by private message, you can click my username next to a post.

Jefferson

Ok I had not tried to check this earlier, and did not expect problems with Release and pre release, but I can reproduce something similar and it does not help setting an exception.

I do see zero kb results. Not sure what's happening am I only getting the hash from AMO. Presumably the exception only helps when trying to install an addon, but not when attempting to download an xpi.

Whereas from github I can download an .xpi with no problem e.g.

https://github.com/philipp-sumo/sumo_live_helper/raw/master/sumo_live_helper.xpi

With no need to try setting an exception.

STR Testing with Fx46.0a. Try some official addon, I tried https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin Right click the (green box) [+ Add to Firefox] and use option to open in another tab or copy. I get https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi?src=dp-btn-primary & door hanger: ... prevented install ... Using about:preferences#security and setting an exception for https://addons.cdn.mozilla.net does not help. If I try https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi with the network console I do see https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.6.2-an+fx+sm+tb.xpi?filehash=sha256%3Ab705c5b4e5c568f5c536e2e7471019f4c602d5395f2604a9f7235417c6c13ceb

Janet, It is probably worth noting addons are now signed. That may not affect ESR as yet for installation. Personally I do not understand the new installation method. But the blogs and help article are

• https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/
• https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/
• Add-on signing in Firefox

install numerous Workstations

No idea if it will help but have you tried or considered using CCK2. That was previously hosted on addons.mozilla and apparently is still available free from its developers website

• https://mike.kaply.com/cck2/
• & other blogs including the older: Customizing Firefox – Extensions and the CCK Wizard

Hi John,

exactly, this is the effect.

I don't know if it is allowed to post the solution here. What works for me -> in a personal message.

What security software do you have?

It is possible that security software (anti-virus, firewall) is causing the problem. Try to disable security software temporarily to see if that makes a difference.

Hi Janet, OK thanks. Not yet sure the intended purpose of the pref you mentioned in the PM. So not sure about any other consequences of toggling it, Jefferson will probably figure that out before I can.

We do not usually keep prefs secret, but sometimes do not shout out about the possibilities. It is not even official policy to promote ESR to ordinary users.

John99 said

STR
Testing with Fx46.0a.
Try some official addon, I tried https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin
Right click the (green box) [+ Add to Firefox] and use option to open in another tab or copy.
I get https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi?src=dp-btn-primary & door hanger: ... prevented install

Yes, opening an XPI from AMO in a tab is blocked for some reason. But right-click > Save Link As on the green button works for me. Does that work for you?

Yes it does actually when I try.

I right click and copy link location the url I get

https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi?src=dp-btn-primary

However if I right click and use save link as I get file (I am using Linux)

ublock_origin-1.6.2-an+fx+sm+tb.xpi
(Size:  1.5 MB (1,452,499 bytes) )

I presume that will install, the option to install does show when I open the file with Firefox DE

Thanks, John. The original poster can only get Save Link As to work by disabling CSP. That doesn't make sense to me because I don't think CSP should apply to downloads, but I'm having a hard time monitoring the HTTP headers (didn't clicking a URL in the Browser Console used to display the headers?).

I see this CSP data in HTTP response headers of the main page using Live Http Headers:

Content-Security-Policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__

Downloading an XPI file shows this for me:

Content-Security-Policy: default-src 'none'; report-uri /__cspreport__

Note that this data may come from CloudFront servers.

X-Cache: Hit from cloudfront
Via: 1.1 3d95c075cc2e7532826e1d3de1a75b2e.cloudfront.net (CloudFront)

jscher2000 said

Thanks, John. The original poster can only get Save Link As to work by disabling CSP. That doesn't make sense to me because I don't think CSP should apply to downloads, but I'm having a hard time monitoring the HTTP headers (didn't clicking a URL in the Browser Console used to display the headers?).

Both ESR eqivalent Iceweasel & DE using Network Console there is a small icon top right appears show request details that has tab options including Headers & Security

• https://developer.mozilla.org/docs/Tools/Network_Monitor#Headers

Browser console similar

• https://developer.mozilla.org/docs/Tools/Browser_Toolbox

Further to last post. Browser console at least in iceweasel is needing right click to display headers

e.g. Response Headers Δ205ms X-XSS-Protection: 1; mode=block X-Target-Digest: sha256:b705c5b4e5c568f5c536e2e7471019f4c602d5395f2604a9f7235417c6c13ceb X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Backend-Server: ip-172-31-47-33 Vary: X-Mobile, User-Agent Strict-Transport-Security: max-age=31536000 Server: nginx Location: https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.6.2-an+fx+sm+tb.xpi?filehash=sha256%3Ab705c5b4e5c568f5c536e2e7471019f4c602d5395f2604a9f7235417c6c13ceb Date: Thu, 03 Mar 2016 01:17:46 GMT Content-Type: text/html; charset=utf-8 content-security-policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__ Content-Length: 0 Connection: keep-alive

cor-el said

I see this CSP data in HTTP response headers of the main page using Live Http Headers:

Content-Security-Policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__

Downloading an XPI file shows this for me:

Content-Security-Policy: default-src 'none'; report-uri /__cspreport__

...

Hi cor-el, yes, this is exactly what happens.

John99 said

Further to last post. Browser console at least in iceweasel is needing right click to display headers e.g. Response Headers Δ205ms X-XSS-Protection: 1; mode=block X-Target-Digest: sha256:b705c5b4e5c568f5c536e2e747... X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Backend-Server: ip-172-31-47-33 Vary: X-Mobile, User-Agent Strict-Transport-Security: max-age=31536000 Server: nginx Location: https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.6.2-an+fx+sm+tb.xpi?filehash=sha256%3Ab705c5b4e5c568f5c536e2e747... Date: Thu, 03 Mar 2016 01:17:46 GMT Content-Type: text/html; charset=utf-8 content-security-policy: script-src 'self' https://addons.mozilla.org; ... report-uri /__cspreport__ ...

Hi John,

yes, this was in my case the reason, why i can't download nowhere at the addons.(cdn.)mozilla site .xpi with the 'Save Link as...' method above versions 31.8.

Is this an intended effect or a special constellation from a server where the files are provided ?