But if you can "manually install" an extension, why can't a third-party manipulate files on disk to reflect the same state of affairs as though you've manually installed?
And assuming that's possible, doesn't that mean they've just made side-loading more difficult to do than actually prevented it?
If that's the case, it just means that _you_ won't be able to sideload, effectively, but Skype et al will put in some programming time and be able to sideload again.
I think you'll need to review whatever method Firefox uses to flag what extensions the user approved.
In general, the OS provides different ways to store data in an encrypted manner so that only your application can read it back. (Keychain on Mac, and DPAPI on Windows.)
Furthermore, modern OSes provide sandboxing so that your application can not be tampered with. I'm not sure if Firefox uses this.
Also, if you're able to figure out how to hide a private key, (perhaps in the Keychain or via DPAPI) you can then use things like digital signatures to know what the user really allowed, and know if your approval mechanism was tampered with.
Granted, these mechanisms aren't foolproof... They just make it harder for malware to see things it shouldn't.
There's no way Firefox can protect itself from a 3rd party that can write to the disk. It's only making it more difficult. Viruses will still manage OK.
And assuming that's possible, doesn't that mean they've just made side-loading more difficult to do than actually prevented it?
If that's the case, it just means that _you_ won't be able to sideload, effectively, but Skype et al will put in some programming time and be able to sideload again.
Correct me if I'm wrong!