If you have installed add-ons from sites other than AMO, you might be familiar with the domain whitelist. When you try to install an add-on from a third party site, you’ll see a doorhanger notification asking you if you want to allow that site to install software. The domain whitelist in Firefox allows you remove that notification for specific domains, which is useful if you install add-ons frequently from those domains.
A recent security bug fix in Firefox changed the way the whitelist works. Starting with Firefox 37 (to be released on March 31st), the doorhanger notification will always show up if you try to install an add-on from a page that is loaded with a plain HTTP connection. In other words, the domain whitelist will only work if the page the add-on is installed from is HTTPS. The URL to the XPI can still be plain HTTP, but the page that triggers the installation must be HTTPS.
The “extensions.install.requireSecureOrigin” preference can be set to
false in order to revert this change. Also, this doesn’t affect automatic add-on updates in any way, even if they happen over plain HTTP.