In a new profile, load http://people.mozilla.org/~roc/fontinfo-0.1-fx.xpi. I get a doorhanger download notification followed by the "Install add-ons only from authors you trust" dialog. It's exactly the same experience as downloading an add-on from addons.mozilla.org. I thought only whitelisted sites such as addons.mozilla.org could trigger that dialog.
Actually no this is correct. The whitelist stops sites from starting add-on installs from JS or by the user clicking on links. If the user copies a URL to an XPI into the address bar manually then it is meant to download and install. If you have a page on people.mozilla.org that links to that XPI do you still see the same thing?
No. Thanks for the clarification, sorry for the distraction.