At present, Firefox will open a remote JAR file only if the server is configured to send a MIME type of application/java-archive or application/x-jar in the Content-Type header, unless the “network.jar.open-unsafe-types” advanced preference is enabled in “about:config”.

Ensuring that the server really wants to provide an archive was done in order to avoid potential cross-site scripting in sites that allowed users to upload content. For more information, see:

http://www.mozilla.org/security/announce/2007/mfsa2007-37.html