Unlisted, signed WebExtension showing warning

I have developed a WebExtension. I’m self-hosting the extension. As part of my build, I ask Mozilla to sign the extension. Then I self-host the signed XPI, along with my updates.json.

I’m also allowing users to install the extension via a web page. However, when they install the extension, they receive the warning:

I’ve tried using InstallTrigger and just redirecting the user to the URL of the XPI. Both provide the warning.

Both the install site and the server hosting the XPI are in HTTPS. Am I receiving the error because they are not the same subdomain? The server running the JavaScript is app.site.com and the server hosting the XPI is extension.site.com (which has CORS enabled for app.site.com).

If I visit the URL of the XPI manually (so it’s not coming from JavaScript), the extension installs without warning.

If my extension is approved and signed by Mozilla, why do I have a warning? Is it because I’m triggering the install via JavaScript? How can I avoid this warning?

Thanks for your help.

Do you recireve the warning when you clicked an <a href="...xpi">? If not, then what you need to install without the prompt is a direct user interaction (click, keyboard) when you trigger your installation. It’s the same with popups and some other possibly annoying things.

Hello, I’m working with @emmerich.
I just tried with <a href=https://app.site.com/file.xpi"> and we are still receiving the warning.
It seems that only the final user can add websites to its white-list.
Thanks for your help
Regards

As @Maxime_Vast mentioned, we still had the problem.

It seems that the warning appears before any download is triggered. If I change the URL of the XPI to something broken, I still have the warning before I receive the message “extension does not exist”.

As Maxime said, it looks like the user needs to add our domain into a “trusted websites” list. Is there any way that this can be done from our end instead of a client-side change?