I have developed a WebExtension. I’m self-hosting the extension. As part of my build, I ask Mozilla to sign the extension. Then I self-host the signed XPI, along with my updates.json.
I’m also allowing users to install the extension via a web page. However, when they install the extension, they receive the warning:
I’ve tried using InstallTrigger and just redirecting the user to the URL of the XPI. Both provide the warning.
Both the install site and the server hosting the XPI are in HTTPS. Am I receiving the error because they are not the same subdomain? The server running the JavaScript is app.site.com and the server hosting the XPI is extension.site.com (which has CORS enabled for app.site.com).
If I visit the URL of the XPI manually (so it’s not coming from JavaScript), the extension installs without warning.
If my extension is approved and signed by Mozilla, why do I have a warning? Is it because I’m triggering the install via JavaScript? How can I avoid this warning?
Thanks for your help.