Step 0. erase all allowed domains for addon installation 1. open new tab 2. paste some url for .xpi into URL bar 3. press return 4. get software installation dialog The same for FF3b5, FF18.104.22.168
The untrusted site waning is not displayed. This can be reproduced when the link is sent from other applications. Isn't this critical issue??
See Bug 363591 Comment #2 for a quick explanation. I'm looking for the bug that added the xpinstall whitelist which explains this in greater detail. Essentially, the xpinstall whitelist is to prevent drive by installation prompts (similar in functionality to a popup blocker) from web pages and not to prevent user initiated installs as described in this bug.
From Bug 322697 Comment #7 See bug 259670 and bug 240552 (especially bug 240552, comment 38) for an explanation.