We discussed security review in several other bugs (1511173, 1511104), and I think we are basically complete as far as security review of this feature goes. Our notes are captured in the document here:
The main risk focused on with this review as "could this flow be used by an attacker to coerce a user into installing a malicious add-on"? While it's possible (as its possible for AMO addons to be malicious), but I think its unlikely to be a useful attack vector for an attacker (as compared to just a regular phishing site encouraging a user to install a malicious executable). The factors that lead me to this assessment are:
- this flow can only be used to prompt for installation of an addon, there is still user involvement in the install
- Its only possible for publicly listed add-ons (no unlisted add-ons)
- It applies only to users who do NOT already have Firefox
It's noted that as the design currently stands it would be possible for a 3rd party to take a link which generates the a stub-installer for a specific add-on and send that anywhere. It might be possible to mitigate this by www.mozilla.org checking the referrer of a link . But this seems an unlikely attack vector due to the considerations listed above.
Just also to note for posterity, at the time of writing there is still ongoing discussion in 1511104 as to the need to sign parameters coming from AMO, so that www.mozilla.org could verify the link was generated by AMO. I think this is good defense in depth to limit the attack surface on www.mozilla.org download page, but as pointed out in 1511104#c55, this link could always be copied and used elsewhere.
 a recommendation has been provided in https://bugzilla.mozilla.org/show_bug.cgi?id=1511104#c58