Created attachment 557477 [details] ffbug.png User Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0 Build ID: 20110811165603 Steps to reproduce: When clicking on a link to install an add-on, the warning message displays the name of the site hosting the link, not the name of the site hosting the actual add-on. For example to install the latest Firebug beta there is a link in http://blog.getfirebug.com/ to the add-on which is on the site http://getfirebug.com/. FFx prompts you to allow "blog.getfirebug.com". This is potentially a security issue since users are being prompted to trust the site that is referring you to the add-on, not the site actually hosting the add-on. This seems similar to the report in bug 294450. The answer there was that issue was an intentional design, but I don't see a good reason why you would intentionally ask a user to trust a site when the software is actually coming from a different site. Tested on FFx 6.0.1 / Win7 and FFx 6.0.1 / Kubuntu 11.04 Actual results: I was prompted to trust blog.getfirebug.com, the referring site, not getfirebug.com, the site actually hosting the add-on Expected results: I should have been prompted to trust the site that is actually hosting the add-on, getfirebug.com, not the site that is referring me there.