You also need an environment variable to be set for it to work.
But yes, it seems to be something you can flip in production. The argument being that if you're in a position to flip prefs you already can break security in a million ways. It's not something you can accidentally flip either.
(The pref doesn't actually "let viruses take over the computer", it just turns off all the security checks)
It doesn't even turn off "all the security checks". It does make it so that certain APIs that let you do all sorts of stuff web content can't normally do are exposed.
It's unlikely to be abused by am attacker, if it requires starting Firefox with a certain environment variable.
Chrome has the same thing with a command line switch.
Useful for some internal unit/integration tests for release and test builds, but really dangerous when pointed to the web.
Actually, "all the security checks" is inaccurate; it seems to enable certain special powers in JS. It turns off one security measure. These special powers seem to be enough to compromise other stuff; but again, if you're in a position to flip that switch you already can compromise other stuff.
But yes, it seems to be something you can flip in production. The argument being that if you're in a position to flip prefs you already can break security in a million ways. It's not something you can accidentally flip either.
(The pref doesn't actually "let viruses take over the computer", it just turns off all the security checks)