Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Can't download Firefox Add-ons manually with 'Save Link as...' because "Firefox prevented this site () from asking you to install software on your computer"

  • 19 replies
  • 7 have this problem
  • 1 view
  • Last reply by JanetM.

more options

Hi Guys,

since Firefox Version 38.0 (ESR) it is not possible to download Firefox Add-ons manually ( ...from the site addons.mozilla.org (!) ) with 'Save Link as...' (...from the Right-Click Context-Menu).

All of the Add-Ons for Firefox (signed or un-signed) have a size of '0 kb' after trying to 'Save Link as...' to a local directory. If I'm choosing there (...in the 'Mozilla Add-On Store') a Thunderbird Add-On everything works fine with the 'Save as...'-alternative.

I have tested this with all of the ESR versions 38.0 to 38.6.1 and also with the new 'public' version 44.0.2 (= no ESR), ...also with new and clean Profiles. Everywhere the same effect. 31.8 ESR is the last one where I can download and save Add-Ons with 'Save Link as...' to a local directory.

(I know that it is possible to choose the Button '+Add to Firefox' with Left-Click. In this case the Add-On Download starts without any problems promptly ...and the installation process starts directly.)

Is there a Pref available which I can set in the about:config page or another option to download Add-On files manually?

Hi Guys, since Firefox Version 38.0 (ESR) it is not possible to download Firefox Add-ons manually ( ...from the site addons.mozilla.org (!) ) with 'Save Link as...' (...from the Right-Click Context-Menu). All of the Add-Ons for Firefox (signed or un-signed) have a size of '0 kb' after trying to 'Save Link as...' to a local directory. If I'm choosing there (...in the 'Mozilla Add-On Store') a Thunderbird Add-On everything works fine with the 'Save as...'-alternative. I have tested this with all of the ESR versions 38.0 to 38.6.1 and also with the new 'public' version 44.0.2 (= no ESR), ...also with new and clean Profiles. Everywhere the same effect. 31.8 ESR is the last one where I can download and save Add-Ons with 'Save Link as...' to a local directory. (I know that it is possible to choose the Button '+Add to Firefox' with Left-Click. In this case the Add-On Download starts without any problems promptly ...and the installation process starts directly.) Is there a Pref available which I can set in the about:config page or another option to download Add-On files manually?

Modified by JanetM.

Chosen solution

I see this CSP data in HTTP response headers of the main page using Live Http Headers:

Content-Security-Policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__

Downloading an XPI file shows this for me:

Content-Security-Policy: default-src 'none'; report-uri /__cspreport__

Note that this data may come from CloudFront servers.

X-Cache: Hit from cloudfront
Via: 1.1 3d95c075cc2e7532826e1d3de1a75b2e.cloudfront.net (CloudFront)
Read this answer in context 👍 0

All Replies (19)

more options

I have not actually tested this on ESR myself yet. But have you tried from the secure link. Instead of http://addons.mozilla.org/ Try https://addons.mozilla.org/ Normally once you have used a https link for a site you will get that in preference to a http link

more options

Hello John,

it doesn't matter if it is a 'normal' version or an ESR version. It is always the same in this case.

It's always the 'https://addons.mozilla.org' site.

(Can't use 'http' for this site in the address bar, because after 'Enter' it is always 'https').

My way:

1. Write down the Url in the adress bar = addons.mozilla.org (...or use a bookmark as form me with https://addons.mozilla.org )

2. The presented site is always the secured site with 'https' =

    https://addons.mozilla.org/

3. Search - for example - for "Download Status Bar" (...it's a signed Add-On) or for example "NoScript"

4. A very short sequence I can see the Blue Button = 'Download for Windows' and 10 millisecond later there is always the Green Button with ' + Add to Firefox'.

So far so good:

5. Right Click (=Context Menu) to the Green Button 'Add to Firefox', then 'Save Link as...' -> choose a directory of your choice -> Save.

Consequence:

All of the 'downloaded files' have a size of 0 kb. There isn't a download ;-).


Exactly this way I can use up to version 31.8 (ESR) without any problems. Above this version (...the next one is 38.0.1) = no chance.

Yesterday I was trying also the newest 'official' version 44.0.2. = the same effect -> no possibility to download the xpi-file manually with 'Save Link as...'.

Modified by JanetM.

more options

When I check the download list after using Save Link As, I see this URL:

https://addons.cdn.mozilla.net/user-media/addons/12021/form_history_control-1.4.0.4-sm+fx.xpi?filehash=sha256%3Aae421ade4005e5b12aa7c53cdc9f61cb53f61dfe3dd0e21cb64a1dd3a6c0d9c5

Some users have encountered errors when extension downloads are redirected to a different server, but I think this is the first time I've heard of an error with the official site.

But... do you want to try adding an "Allow" software download permission for that site? If so:

(1) Select and copy the following protocol and host name

https://addons.cdn.mozilla.net

(2) Open the Exceptions list here:

"3-bar" menu button (or Tools menu) > Options

In the left column, click Security. Then on the right side, click the Exceptions button to the right of "Warn me when sites try to install add-ons".

In the dialog box that appears, you can past the URL and click the Allow button to add an exception.

Does that let you download and save extensions?

more options

Hello jscher2000,

what are the file size of the file 'form_history_control-1.4.0.4-sm+fx.xpi' after downloading this per Context-Menu 'Save Link as...'?

Modified by JanetM.

more options

Hi JanetM., Windows shows me 489 KB as the file size.

more options

Hello Jefferson,

thank you for your reply.

After 24 hours of installing and reinstalling different versions from 31 to 38 (ESR) and 44 i have found out with a header inspector that the Guys from the Firefox-Project have the sites '*.mozilla.org' -> CSP protected with newer versions of Firefox.

Therefore it's not possible to make a xpi download manually from the Mozilla Add-On "Store" in order to install these files later from a local directory.

I suppose it's not desired to showcase at this place "how to fix it" this feature .

Fortunately i was able to disable this ... thing.

Over the month i have to install numerous Workstations and don't have enough time to install required Add-Ons (...in the most recent version) with direct downloads over the Add-On "Store" on every machine separately .

Sure, it could be used the Sync-Account, but i hate cloud-based solutions, ... because no one knows the real owner of the infrastructure.

Thanks again for your efforts.

more options

I don't understand why it isn't working for you, or why you think the CSPs are relevant to downloads. What am I missing here? If you want to send the information by private message, you can click my username next to a post.

more options

Jefferson

Ok I had not tried to check this earlier, and did not expect problems with Release and pre release, but I can reproduce something similar and it does not help setting an exception.

I do see zero kb results. Not sure what's happening am I only getting the hash from AMO. Presumably the exception only helps when trying to install an addon, but not when attempting to download an xpi.

Whereas from github I can download an .xpi with no problem e.g.

https://github.com/philipp-sumo/sumo_live_helper/raw/master/sumo_live_helper.xpi

With no need to try setting an exception.

STR Testing with Fx46.0a. Try some official addon, I tried https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin Right click the (green box) [+ Add to Firefox] and use option to open in another tab or copy. I get https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi?src=dp-btn-primary & door hanger: ... prevented install ... Using about:preferences#security and setting an exception for https://addons.cdn.mozilla.net does not help. If I try https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi with the network console I do see https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.6.2-an+fx+sm+tb.xpi?filehash=sha256%3Ab705c5b4e5c568f5c536e2e7471019f4c602d5395f2604a9f7235417c6c13ceb


Janet, It is probably worth noting addons are now signed. That may not affect ESR as yet for installation. Personally I do not understand the new installation method. But the blogs and help article are

install numerous Workstations

No idea if it will help but have you tried or considered using CCK2. That was previously hosted on addons.mozilla and apparently is still available free from its developers website

more options

Hi John,

exactly, this is the effect.

I don't know if it is allowed to post the solution here. What works for me -> in a personal message.

more options

What security software do you have?

It is possible that security software (anti-virus, firewall) is causing the problem. Try to disable security software temporarily to see if that makes a difference.

more options

Hi Janet, OK thanks. Not yet sure the intended purpose of the pref you mentioned in the PM. So not sure about any other consequences of toggling it, Jefferson will probably figure that out before I can.

We do not usually keep prefs secret, but sometimes do not shout out about the possibilities. It is not even official policy to promote ESR to ordinary users.

more options

John99 said

STR
Testing with Fx46.0a.
Try some official addon, I tried https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin
Right click the (green box) [+ Add to Firefox] and use option to open in another tab or copy.
I get https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi?src=dp-btn-primary & door hanger: ... prevented install

Yes, opening an XPI from AMO in a tab is blocked for some reason. But right-click > Save Link As on the green button works for me. Does that work for you?

more options

Yes it does actually when I try.

I right click and copy link location the url I get

https://addons.mozilla.org/firefox/downloads/latest/607454/addon-607454-latest.xpi?src=dp-btn-primary

However if I right click and use save link as I get file (I am using Linux)

ublock_origin-1.6.2-an+fx+sm+tb.xpi
(Size:  1.5 MB (1,452,499 bytes) )

I presume that will install, the option to install does show when I open the file with Firefox DE

more options

Thanks, John. The original poster can only get Save Link As to work by disabling CSP. That doesn't make sense to me because I don't think CSP should apply to downloads, but I'm having a hard time monitoring the HTTP headers (didn't clicking a URL in the Browser Console used to display the headers?).

more options

Chosen Solution

I see this CSP data in HTTP response headers of the main page using Live Http Headers:

Content-Security-Policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__

Downloading an XPI file shows this for me:

Content-Security-Policy: default-src 'none'; report-uri /__cspreport__

Note that this data may come from CloudFront servers.

X-Cache: Hit from cloudfront
Via: 1.1 3d95c075cc2e7532826e1d3de1a75b2e.cloudfront.net (CloudFront)
more options

jscher2000 said

Thanks, John. The original poster can only get Save Link As to work by disabling CSP. That doesn't make sense to me because I don't think CSP should apply to downloads, but I'm having a hard time monitoring the HTTP headers (didn't clicking a URL in the Browser Console used to display the headers?).

Both ESR eqivalent Iceweasel & DE using Network Console there is a small icon top right appears show request details that has tab options including Headers & Security

Browser console similar

more options

Further to last post. Browser console at least in iceweasel is needing right click to display headers

e.g. Response Headers Δ205ms X-XSS-Protection: 1; mode=block X-Target-Digest: sha256:b705c5b4e5c568f5c536e2e7471019f4c602d5395f2604a9f7235417c6c13ceb X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Backend-Server: ip-172-31-47-33 Vary: X-Mobile, User-Agent Strict-Transport-Security: max-age=31536000 Server: nginx Location: https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.6.2-an+fx+sm+tb.xpi?filehash=sha256%3Ab705c5b4e5c568f5c536e2e7471019f4c602d5395f2604a9f7235417c6c13ceb Date: Thu, 03 Mar 2016 01:17:46 GMT Content-Type: text/html; charset=utf-8 content-security-policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__ Content-Length: 0 Connection: keep-alive

more options

cor-el said

I see this CSP data in HTTP response headers of the main page using Live Http Headers:
Content-Security-Policy: script-src 'self' https://addons.mozilla.org https://www.paypalobjects.com https://apis.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://ssl.google-analytics.com https://addons.cdn.mozilla.net; default-src 'self'; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://ssl.gstatic.com/ https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; report-uri /__cspreport__

Downloading an XPI file shows this for me:

Content-Security-Policy: default-src 'none'; report-uri /__cspreport__

...

Hi cor-el, yes, this is exactly what happens.

Modified by JanetM.

more options

John99 said

Further to last post. Browser console at least in iceweasel is needing right click to display headers e.g. Response Headers Δ205ms X-XSS-Protection: 1; mode=block X-Target-Digest: sha256:b705c5b4e5c568f5c536e2e747... X-Frame-Options: DENY X-Content-Type-Options: nosniff X-Backend-Server: ip-172-31-47-33 Vary: X-Mobile, User-Agent Strict-Transport-Security: max-age=31536000 Server: nginx Location: https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.6.2-an+fx+sm+tb.xpi?filehash=sha256%3Ab705c5b4e5c568f5c536e2e747... Date: Thu, 03 Mar 2016 01:17:46 GMT Content-Type: text/html; charset=utf-8 content-security-policy: script-src 'self' https://addons.mozilla.org; ... report-uri /__cspreport__ ...

Hi John,

yes, this was in my case the reason, why i can't download nowhere at the addons.(cdn.)mozilla site .xpi with the 'Save Link as...' method above versions 31.8.

Is this an intended effect or a special constellation from a server where the files are provided ?

Modified by JanetM.