I'm not asking for full administrative privilege.

I'm asking for: "If the user goes into a deep part of the obscure developer options and bypasses the warnings about unsigned addons, and then uses a non-obvious but documented process for side-loading, something virus peddlers can't really walk users through, then Firefox should honor that while explicitly displaying the list of unsigned addons the users added."

>I'm not dismissing people who aren't as capable as me either, I've mentioned alternative approaches and I'm getting tired of having to repeat "there is the dev and nightly edition" to the same 5 people over and over again.

And I and others have explained how those involve unacceptable tradeoffs and run directly contrary to "give users back control over their machines" ethos, though not, of course, to your extremely limited version of the ethos.

>"If the user goes into a deep part of the obscure developer options and bypasses the warnings about unsigned addons, and then uses a non-obvious but documented process for side-loading, something virus peddlers can't really walk users through, then Firefox should honor that while explicitly displaying the list of unsigned addons the users added."

Any such process would have to be difficult for external programs. As it stands, the best way to get verification of such a setting is through the built in binary verification that firefox does, which require that any application needs to reverse engineer and patch the binary to install it's own addons.

Your process requires editing the about:config values, which is possible for an external application and installing an addon, which copies it into a specific folder and is also possible for an external application. We know this is possible because this is what other applications did to install their shitty toolbars.

>And I and others have explained how those involve unacceptable tradeoffs and run directly contrary to "give users back control over their machines" ethos, though not, of course, to your extremely limited version of the ethos.

It seems to me that further discussion is unnecessary considering you continue to ignore significant portions of my comments.

>Any such process would have to be difficult for external programs.

Why? If the user already has a malicious 'external application' running on their system with sufficient privileges to do any of this, then they're already screwed, and they have bigger problems to worry about than malicious WebExtensions.

More generally, I don't think we should hold applications responsible for the security or behaviour of parts of the software/hardware stack at equal or higher privilege level to them, including other applications. Mostly because, well, they can't do anything truly effective in that regard.

I see you're worried about average users unknowingly installing random malicious crap, and I've seen a lot of that myself. I think the way forward is pretty much what is being done on mobile platforms currently: universally applied application sandboxing, usage of existing fine-grained access control models (and also the development of ones that are saner to use), and better communication to the user about what their applications are doing and what the permissions they are requesting actually mean. Yes, it's still a clusterfuck, but it's an improvement.

A security model involving applications in an arms-war with one another, using increasingly byzantine restictions in an attempt to prevent external manipulation, feels less like something I would want any part of, and more like something out of a dystopian sci-fi novel.

: Although I think Google went too far on the "lock things down completely" side of things when they made it outright impossible to, say, use rsync to backup or sync the entire contents of a phone's sd card to/from the network