They are silently installed - at a minimum they should only be installed after a scary warning. self-signed certs are another interesting case, but maybe that is different enough it should be in a new bug (or just allowed?) This is tested in browser_registry.js and currently marked as a "known failure".
My suggestion for now is to silently reject any manifest on a domain where the cert fails, include a bypass with the social.provider.devmode preference so we can test with our presumably self-signed mochitest server. We should then revisit this to see if it is worth having UX to deal with this. mcoates: what do you think?
Created attachment 627831 [details] [diff] [review] Check the SSL status of the manifest host A patch that makes the tests work. The mochi server seems to have a real cert (or manages to pretend it does) so the devmode pref doesn't seem necessary at the moment.
Comment on attachment 627831 [details] [diff] [review] Check the SSL status of the manifest host still would like to be able to pref this off for development
Fixed in git as [develop a3a0bcc]