It's basically just working as a second level of confirmation (maybe third
level if the site you're on is not AMO), not really as a means to disable
installation. I think we did this because once upon a time (Firefox 1.0) we
had UI for controlling this in preferences. We removed that in 1.5 (instead
just defaulting to having installation enabled but a whitelist of sites
allowed to do it) and so there would have been a certain number of users
with add-on installation disabled but no way to enable it so I believe we
added this UI to allow re-enabling it as a compromise, instead of just
forcibly setting the pref back to the default.
I believe that the only people remaining these days that have
xpinstall.enabled=false are those that actually want installation disabled
(maybe kiosk UI or whatever). I know there is a minority of people who
actually want it for that additional level of confirmation but that doesn't
seem like a sensible reason for using the pref given we already require
agreeing to the install at least once after you enable installation. I can't
think of any other hidden pref like this that we have specific UI for
controlling when it isn't set as we expect.
I think we should just decide that xpinstall.enabled=false means add-on
installation is disabled and either not show any UI at all when an attempt
is made, or if we are particularly concerned about confusion of users of
locked down systems we should just show a plain notification with no option
Anyone take issue with this approach?
That was my thinking too, fwiw.
The original intent was the xpinstall.enabled=false meant the
feature was disabled, full stop. Like Java.enabled=false, or several
other "kill switch" prefs we have.
I'm sorry I missed this behavior change, it's completely wrong. We
should go back to the initial behavior. And no UI notification: off
is off, feature doesn't exist. It could be off because an
institutional roll-out decrees no unauthorized modifications (like
your kiosk example), or because Gecko is in a non-browser product
that doesn't support installs, or even because we've found a
horrendous security hole and everyone needs to be able to turn it off.