Firefox, DRM, and the end of NPAPI
There has been lots of talk about the end of the classic NPAPI interface which is currently supported by all versions of Firefox to make third-party technologies available in the browser.
The most popular plugins currently supported are Adobe Flash and Java, but there are more plugins that Firefox may pick up to make their functionality available.
Google kicked NPAPI out in Chrome 45 when it stopped support for NPAPI, and Mozilla announced that it would end support as well.
Google's advantage over Mozilla is that Chrome ships with a version of Flash built-in to the browser which means that the most popular NPAPI plugin is still available in Chrome, albeit in a different form.
Since Mozilla does not have an agreement with Adobe to do the same, it is at a significant disadvantage as the removal of NPAPI support would result in Firefox not supporting any Flash content on the Internet anymore.
Chrome on the other hand does not support any other NPAPI plugin which means for instance that you cannot run JAVA or Silverlight content in the browser anymore.
Firefox and DRM
Mozilla has been in a precarious position in regards to DRM functionality in Firefox. It had the option to integrate DRM playback capabilities to Firefox, which would please users who use services like Netflix on the browser but displease users who don't want DRM capabilities in the browser, or don't support DRM which would force users who want to use services that require them for streaming to switch to another browser for that but please users who oppose DRM in any form.
Mozilla added Adobe Primetime Content Decryption Module (CDM) in Firefox 38 to support DRM HTML5 streams.
Firefox users may have noticed that Primetime is listed as a plugin in the browser by default, and that there is also a OpenH264 Video Codec provided by Cisco for the same purpose. If you have not, type about:addons in the browser and switch to plugins when the page has loaded.
These plugins are set to "always activate", and the only other option you have is to set them to "never activate". The option "ask to activate" is not available.
Firefox users can disable the DRM on about:config as outlined in the linked article above. This removes the plugins from Firefox.
It is very likely that Widevine will get its own "turn off" switch once it is made available. Also, Mozilla maintains a special version of Firefox that is DRM free.
Update: Mozilla plans to remove support for Adobe Primetime in Firefox 52. This leaves Google Widevine CDM as the content decryption module the browser supports.
Google Widevine CDM
Mozilla announced a couple of days ago that it plans to bring another content decryption module to Firefox. The organization will push Google's Widevine CDM to Firefox Nightly soon which will add support for HTML5 video content that requires DRM to Firefox to add support for sites that rely on Widevine for that.
According to Mozilla, it is an alternative for "streaming services that currently rely on Silverlight for playback of DRM-protected video content".
The plugin will only be made available to Windows and Mac versions of Firefox, and it will only be downloaded to the browser when a user visits a site that requires it.
Update: Google Widevine is also available for Linux versions of Firefox since version 49.
The integration ensures that Firefox covers both Flash and Silverlight DRM on the Internet after the termination of support for NPAPI support.
The end of NPAPI
Up until now, Mozilla stated that support for NPAPI would end at the end of 2016 but did not reveal exactly when it would happen.
A post on Mozilla.dev.tech.plugins in February revealed updated plans. According to the information posted there, Mozilla plans to remove NPAPI support in Firefox 53 which will be out in March 2017.
The next Firefox ESR (Extended Support Release) version is 52 and will receive security updates for a year. By removing NPAPI in Firefox 53, the release *after* the ESR, users that need NPAPI support can continue to switch to Firefox ESR 52 and keep using NPAPI plugins until May 2018.
The main reason why Firefox 53 is picked is that Firefox 52 is a new ESR release. This means that anyone on ESR will be able to use NPAPI plugins until that version is no longer used and that is not before May 2018.
Schedule
Check out our release schedule for Firefox for exact dates (added when they become available).
- Firefox 52: new ESR version
- Firefox 53: NPAPI support is dropped in Firefox.
- Firefox 60: new ESR version without NPAPI support
- Firefox 60.2 ESR: The old Firefox 53 ESR version is no longer supported. The end of NPAPI in Firefox.
As is the case with future releases, things may change along the way. We will update the article should this happen. (Thanks Sören)
No more Pandora? No more Radio Tunes? No more games?
I’ve had Flash set to Ask To Activate on both FF and Pale Moon. I stopped using Pale Moon when I couldn’t get that option to work anymore. Ask to Activate appeared to be available, but it wasn’t working, so it was either all on or all off.
On pale moon it depends which theme you are using.try a different theme and see if that works as i noticed the same.
A curious side note:
The EME-free editons of the various versions, are the only ones for which Mozilla does not provide hash values in the releases archive.
https://download-origin.cdn.mozilla.net/pub/firefox/releases/
[It is always a good idea to check to insure a corruption free and true dl. Given that Mozilla has given the nod to apparent security by moving to SHA512 hashes only, it would be an even better idea from a security viewpoint, if the hashes were posted on a page and/or site other than the files (see recent Linux Mint breach).]
Being not agree with Mozilla add-ons signing policy, I switched to ESR channel months ago.
As for DRM plugins, I disabled them. Nothing I really need needs DRM and nothing what needs DRM I really need.
Hulu still does not work without Flash.
I wonder if using the ‘Lynx’ or the ‘Links’ text based web browser will protect my data and privacy?
http://lynx.browser.org/
http://links.twibright.com/
I’ve actually played with the ‘Lynx’ browser for a while and it was rather interesting and fun. :)
Fuck cisco !!!
fuck the control of private life !!!
shall we make an open source flash player ?!
Easier said than done. Flash itself is a licensed, proprietary technology, well protected by patents. Creating an Open Source alternative that’s a direct replacement isn’t a simple endeavor. It’s not just a matter of writing a bunch of code, the financial resources required just for negotiating the legal maze of valid stumbling blocks and groundless patent trolling will be a very significant factor.
The DRM elements should be System Add-ons
Mozilla compromised their free/freedom policies because of the support of the web standard (!) Encrypted Media Extensions? That’s… interesting. Mozilla has to support important web standards. There are only two options. The other option is that Firefox is the only browser without support and is unusable for a lot of people.
And yes, I am glad that I can use Firefox to watch Netflix and similar services. It doesn’t matter that there is still Silverlight because Silverlight won’t be supported soon. I am a Firefox Nightly user so I am affected by the end of this year. And it’s great to see NPAPI plugins die!
The “DRM element” is the CDM. And the user has at least a bit control about Gecko Media Plugins like CDMs in the add-on manager. WebExtensions are invisible for the user.
And the implementation doesn’t matter. Either Firefox does supprt EME or Firefox does not support EME. That are the two options.
No, the other option is a System Add-On. How is this confusing for you? Bundling the DRM elements into a System Add-On doesn’t affect anything you would notice; and it will surely happen, regardless of what you think or if you understand, so that’s fine.
Where do you see the difference for the user between a system add-on and a Gecko Media Plugin? Both are “extensions”.
The wrapper is currently built into the trunk code, which means Mozilla compromised their free/freedom polices. It’s a huge difference, covered on gHacks in detail the past. There’s really no reason now not to make the propriety elements into System Add-ons and I am confident that Mozilla will do so by the time they remove NPAPI support.
Just to clarify, AFAIK: the plugins mentioned are classed as GMP (gecko media plugins). The OpenH264 Cisco codec is open source, has no DRM, and is currently only used in WebRTC.
this disables ALL GMPs. You don’t even need to restart, but you may need to refresh your plugins page
user_pref(“media.gmp-provider.enabled”, false);
this disables ALL DRM (currently only adobe)
user_pref(“media.eme.enabled”, false); // Options>Content>Play DRM Content
this pref is for always activate (true) and never activate (false) for the Cisco OpenH264 codec (which is not DRM but is a GMP)
user_pref(“media.gmp-gmpopenh264.enabled”, false);
this pref is for always activate (true) and never activate (false) for the Adobe EME DRM CDM
EME (Encypted Media Extension) DRM (Digital Rights Managament) CDM (Content Decryption Module)
user_pref(“media.gmp-eme-adobe.enabled”, false);
disable auto-play of HTML5 media – i guess it’s similar to click-to-play. This is probably the best solution for “ask to activate” not being available as an option on the plugin page
user_pref(“media.autoplay.enabled”, false);
Clear enough. This has been done here together with other settings you made available here at https://www.ghacks.net/2016/01/04/the-firefox-privacy-and-security-list-has-been-updated/
Take care of your privacy, no one is better entitled to do so than yourself.
Testing firefox 45.0.1 here, OpenH264 plugin was preinstalled. Contrary to what I read in the article, 3 options (not 2) are available: always / ask / never. I’ve chosen “never” ff is still able to display youtube videos… however, youtube isn’t offering HD quality option.
I don’t know whether HD quality is unavailable due to absence of flash plugin, or because I’ve disabled OpenH264
Where can I find a site that depends on, and triggers auto-installation of “Primetime CDM” plugin?
Curious (and worried) to find out whether its silent installation will create an “evercookie” (in prefs? in a sqlite table?) which will remain even after the plugin is subsequently disabled.
“Contrary to what I read in the article, 3 options (not 2) are available: always / ask / never.”
^^ Have you tired to select “ask to activate”? It’s impossible.
OpenH264 has nothing to do with Youtube and HTML5 videos. It’s simply the codec they bundled for use with WebRTC. I have all current GMPs disabled (the whole two of them) and I can still run everything on youtube – https://www.youtube.com/html5 – 7 out of 7 ticks. Not sure about your HD content problem.
Thanks. You’re right — the displayed ‘ask to activate’ is, in fact, grayed out and cannot be selected.
What’s missing from this article is how Mozilla intends to maintain Flash support after removal of NPAPI? Adopt Chrome’s PPAPI interface? If they’re removing NPAPI altogether I’m guessing white-listing Flash will not be an option.
Mozilla’s last statement regarding Flash was to make a exception for Flash to support it longer than the other NPAPI plugins. I don’t know if this is still the current plan. But Mozilla won’t support PPAPI.
Have you tried this PPAPI wrapper? I have not tried it yet.
http://www.webupd8.org/2014/05/install-fresh-player-plugin-in-ubuntu.html
FWIW Adobe Labs is updating the Flash player for Linux, both NPAPI and PPAPI and 32/64 bit.
http://labs.adobe.com/technologies/flashruntimes/flashplayer/
There won’t be any Flash support in Firefox when NPAPI is dropped. Shumway, Mozilla’s Flash replacement, never made it to a production release.
By Firefox 53? Extremely improbable. That would mean breaking ten of thousands of websites. It won’t happen.
Since Mozilla does not have an agreement with Adobe to do the same, it is at a significant disadvantage as the removal of NPAPI support would result in Firefox not supporting any Flash content on the Internet anymore.
Really? What site has actual flash content that isn’t ad related? Even ads have moved from flash. All well-visited sites have ditched flash long ago. Streaming has been, as you have said, moved to html5.
google chrome does suppport plugins!!!(PPAPI) butt the ppapi version of adobe shockwave flash is bundled with chrome.
> What site has actual flash content that isn’t ad related?
Graphs plotting. I met Flash-based graphs of currency exchange rate on several sites dedicated to that matter.
BBC iplayer for one
http://www.bbc.co.uk/html5 you can opt-in to html5 for bbc iplayer.
“I don’t understand big companies’ policy in this regard.”
The usual things: money and effort. They don’t want to fund the switch to new technologies as long as they can get away with using the old ones. You’re right that Flash is garbage at this point. I don’t even have it on my system anymore (shock! horror!). :)
France Televisions has many sites and yet all videos require Adobe’s Flash, which is a shame when we all know 1- that Flash is on the road to hell and 2- HTML5 is available, is the future. I don’t understand big companies’ policy in this regard. I do know that Flash is excellently talkative of its users configurations (unless editing Flash’s mms.cfg file) and that could explain at least partially companies’ stubbornness to stick to Flash like a vampire to a throat. Insane.
There is more to Flash than ads, games for one.
Nothing of value. Including games. Ditch flash NOW. Only ones using it are enterprise/business only applications. This is a good thing. The faster we can ditch this age-old garbage un-secure tech the better.
> And nothing of value will be lost.
Games have no value? Not sure I agree with that one.
>games for one.
And nothing of value will be lost.