Yes, backing up Drew(#47), aardvarkruby-avast (#43), and obviously sjw (#9).
I "installed" the 1.0.2 study by directly pasting in the link (the entire link, not just the bit that was link-ified by the browser) into the address bar of Firefox (no other browser needed), and it automatically detected the "XPI" and allowed me to install.
Now a quick examination of the "FIX":
But a Caveat first. Although I have been a developer for ~30 years, I have never worked on any free software projects, let alone Firefox.
Now a quick examination of the downloaded XPI shows that it is a ZIP archive, and the meat of the fix appears to be in the api.js file (folder path: ...\email@example.com\experiments\skeleton\api.js).
Superficially, this looks to install a digital signature and forces a re-verification of all of the signatures. It's right there in the code - a measly 33 lines in entirety.
Anyway, this looks like a signature leak. So I clearly expect that the signature that has been used will become invalidated at some point - and thus the "FIX" rendered, invalid. Hopefully, not before a new release of Firefox, thus not this needing this "studies...", ah, yeah.
Right now it's working for me, and I can go back to watching youtube.
Oh, and I might have been seeing things. But I could have sworn my firefox version was 66.0.4 beforehand. But looking now, it is 66.0.3.