Loading temporary add-ons

With Firefox 43 we’ve enabled add-on signing, which requires add-ons installed in Firefox to be signed. If you are running the Nightly or Dev Edition of Firefox, you can disable this globally by accessing about:config and changing the xpinstall.signatures.required value to false. In Firefox 43 and 44 you can do this on the Release and Beta versions, respectively.

In the future, however, disabling signing enforcement won’t be an option for the Beta and Release versions as Firefox will remove this option. We’ve released a signing API and the jpm sign command which will allow developers to get a signed add-on to test on stable releases of Firefox, but there is another solution in Firefox 45 aimed at add-on developers, which gives you the ability to run an unsigned, restartless add-on temporarily.

To enable this, visit a new page in Firefox, about:debugging:

Screen Shot 2015-12-18 at 8.07.12 AM

In my case I’ve got a new version of an add-on I’m developing; a new WebExtension called “Sort Tabs by URL”. To load this unsigned version temporarily, click on the “Load Temporary Add-on” and select the .xpi file for the add-on. This will load an unsigned add-on temporarily, for the duration of the current browser session. You can see this in about:debugging and also by the green button in the toolbar that the add-on creates:

Screen Shot 2015-12-18 at 8.07.42 AM

The add-on is only loaded temporarily; once you restart your browser, the add-on will no longer be loaded, and you’ll have to re-load it from the add-ons manager.

If you don’t want to go to the effort of making an .xpi of your add-on while developing – you can just select a file from within the add-on, and it will be loaded temporarily without having to make a zip file.

One last note, if you have an add-on installed and then install the an add-on temporarily with the same id then the older add-on is disabled and the new temporary add-on is used.

17 responses

  1. Nanashi wrote on :

    This is nice for quick testing, but how’s the progress on letting administrators enroll their own signing keys, so they can pick what extensions can run on a slightly more permanent basis?

  2. Michael Kaply wrote on :

    This fix doesn’t help the thousands of add-ons that are not restartless.

    Please just do a developer mode like Chrome.

    Have a giant popup that says “You are in developer mode” and be done with it. Please.

    And get rid of the unbranded Firefox idea completely.

    1. Markus “Traumflug” Hitter wrote on :

      This, or have a whitelist for (in-house) developed plug-ins.

      Or allow signing add-ons without sending their (confidential!) code to public servers.

      Many options to allow development while maintaining safety for the public, but currently it looks much like Firefox tries hard to prohibit private and in-house development without expressedly naming it.

      1. Anonymous wrote on :

        They don’t want to make a white-list because bad addons can change it.
        Yes, they suppose horrible bad addons can sneak into the system even they are not in the white-list and forced to sign at the beginning.
        And yes again, they think the horrible deadly bad addons need to modify the white-list AFTER they have already infected the system.
        Therefore, the good heart devs forbide the white-list solution, which can prevent the poor bad guys doing stupid thing (i.e. picking the doorlock when they already have some other way to break in your house).

  3. Tony Jones wrote on :

    This is such a pain in the bum. We can no longer use Firefox to VPN to work.

    Congratualtions, my colleagues and I are now ex firefox users.

  4. Timur wrote on :

    Now I can say that Firefox is proprietary software. You betrayed community.

  5. Markus wrote on :

    Considering this will break tons of older extensions that tons of people depend on in their day to day use of Firefox and that have no replacements, what are you going to do in order to help people in using those extensions? Shouldn’t there be some way to enable individual unsigned extensions if people know what they’re doing and know what those extensions are? Or are you fine with users simply stopping to update Firefox because you deliberately destroyed their customized environment in future versions?

  6. Joe wrote on :

    Can’t you guys just admit this was a stupid idea and let it go? Between this and the automatic signing of unlisted add ons it is clear that mandatory signing was a half-baked idea at best. It really seems like someone somewhere just doesn’t want to admit that they were wrong.

    1. Chuck Baker wrote on :

      “Can’t you guys just admit this was a stupid idea and let it go?”

      Too late for that. Even if they decided the whole idea is/was a major clusterfck, the damage has already been done. A certain layer of trust was stripped away that can never be regained.

      To my knowledge, nobody asked the add-on developers (or the everyday users) if this was a good idea or if it was something they wanted or needed. And let’s be honest, it is the add-on developers that truly made Firefox what it was. They created the demand for a customizable browser and Firefox thrived because of it.

  7. Chinatownreport wrote on :

    I agree to do developer mode like Chrome.

  8. John Mayer wrote on :

    It should be something simpler…

  9. Anton wrote on :

    As far as I can tell, content scripts from the extension are reloaded automatically, yet background script is not? Is there a way to force background script reload (Chrome has a “Reload” button for unpacked extensions), or do I need to always remove / add addon to test my changes?

  10. Noitidart wrote on :

    I think this is a great work around. Is there any docs on this yet? So we addons can start using this. I have a couple addons which helps install other addons.

    1. Noitidart wrote on :

      No docs yet but use this – AddonManager.installTemporaryAddon(xpi)

      DXR – https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.jsm#2314

  11. Noitidart wrote on :

    Hey all,
    People are submitting super simple test addons to be reviewed, but they just want to install it for themselves, so I hesitate to tell them to use unlisted. I have a reply for them that works in Firefox = 45, but what can I tell them for Firefox 44?

    This is what I tell them:
    ———
    To install for your self, you can load a temporary addon, this is available in Firefox 45+ – https://blog.mozilla.org/addons/2015/12/23/loading-temporary-add-ons/

    If you are in Firefox 43, you can change your preference value for `xpinstall.signatures.required` to `false`. This setting is discontinued in Firefox 44.

    You cannot install in Firefox 44 without signing it, either by setting up your oauth credientials then using jpm sign – https://blog.mozilla.org/addons/2015/12/18/signing-firefox-add-ons-with-jpm-sign/ – or manually using this signing service
    ——–

  12. Noitidart wrote on :

    Is the uninstall proc of the temporary addon triggered on addon shutdown? Or on the next browser startup? Just curious because it might impact uninstall procedures if they are async, like they may not complete in time.

  13. Dan Dreifort wrote on :

    I’m sticking with ff 43/44 for as long as it’s reasonably secure. If there’s no easy way to run unsigned addons by then, I’ll very reluctantly ditch firefox. Sad that firefox is losing a valuable group of devs/fans/users with this new policy.