What about Joe Average User who downloaded an extension from me? I can understand wanting to prevent third-party software from injecting extensions behind users' backs, but can these users still install extensions directly, from a file, regardless of how that file found its way to their hard drives?
They can drag and drop it on the firefox window and it will install it just fine still. The only change that is happening is auto-installation of extensions found in a specific folder, which is how a lot of crapware extensions find their way into people's firefox installation, but almost no legit extensions get installed this way.
That doesn't appear to be correct. All unsigned extensions will be blocked in all release versions. Without a developer/unbranded/nightly version, you're not allowed to install anything that didn't come from Mozilla's add-ons site. https://news.ycombinator.com/item?id=21418604
Yes, but you can sign your xpi via a command line tool (which calls the AMO API) and then distribute that however you want. It can be installed by dragging into about:addons.
While what you want can still be achieved (as Mozilla has gone to great lengths to explain), what makes you think that "Joe Average User" would be best off downloading extensions from every you that tells them they can get a browser toolbar with whatever software install they're using?