Google to ban all NPAPI browser plug-ins in Chrome in 2014

Martin Brinkmann
Sep 24, 2013
Updated • Sep 24, 2013
Google Chrome
|
24

Plugins are one of the main sources for browser stability and security issues. This is especially true for plugins that are installed on nearly every computer system out there, such as Adobe Flash or Java.

The plugin system, the Netscape Plug-In API (or NPAPI) has been designed with good intentions and at a time where browser extensions and things such as HTML5 were not even on the radar yet.

Plugins are still widely used today, especially Adobe Flash as it is still the driving force behind most video streaming services, but also others such as Silverlight which is used by Netflix for the streaming of video or Unity for gaming.

Google just announced that the company will phase out all NPAPI-based plugins in the Chrome browser in 2014.  It is a two-step process according to a post on the Chromium blog where Google engineer Justin Schuh explains the reasoning behind the move.

Phase 1: whitelist

Google's current plan is to start the first phase of the project in January 2014. This affects the stable channel of the browser at that time, and all but a selection of widely used plugins will be blocked in the browser automatically. According to Google, the plugins that won't be blocked at that time are:

  1. Microsoft Silverlight
  2. Unity
  3. Google Earth
  4. Java
  5. Google Talk
  6. Facebook Video

This is based on anonymous usage data that Google collects in the Chrome browser. Note that security has priority. This means that if a plug-in is blocked due to security reasons, it won't be available in the browser even if it has been whitelisted.

Options to enable other plug-ins will be provided in the short term, so that other plug-ins may be used in Chrome for the time being as well.

Phase 2: Plug-ins begone

Google will remove support for NPAPI before the end of 2014 from Chrome. This means that no plug-in that uses the API, not the whitelisted ones nor others, will work after that time in the browser.

This will affect existing NPAPI-based apps and extensions in Chrome's Web Store as well. Google gives developers time to update those apps and extensions until Max 2014. They are then removed from the Web Store home page, search and category pages, and unpublished in September 2014.

Flash?

Adobe Flash in Chrome is not using NPAPI, but is integrated natively in the browser. Flash in Chrome is not affected by this and will continue to work just like before. Google's implementation may miss a couple of features though and it is not clear if the company will integrate those before the "real" Flash is removed from the browser.

Closing Words

The announcement may have serious consequences for Internet companies. The Unity team for instance needs to find a way to bring the game engine to the Chrome browser without the use of plugins, and Netflix needs to move away from using Silverlight for streaming to other technologies.

While it is certainly possible to ignore the Chrome browser, it would be foolish for most businesses to do so, considering that it has a sizable share in the browser market.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. sue said on April 17, 2015 at 8:40 pm
    Reply

    i have played everything on chrome..now i have a problem with java…NO FAIR
    I went to firefox,,but i love chrome…PLEASE BRING BACK JAVA WEATHER UPDATE OR NOT

  2. Jane said on September 30, 2013 at 4:52 pm
    Reply

    How will this affect Javaws?

    1. Martin Brinkmann said on September 30, 2013 at 6:59 pm
      Reply

      While I cannot say with 100% certainty, I would say it is not affected at all by this.

  3. Ozzy said on September 27, 2013 at 5:33 am
    Reply

    “If there’s a way for a site to take dependency on a browser quirk, and break if that quirk is removed, it will happen.” – -Eric Lawrence, Web Browser Legend.

  4. Jedo said on September 25, 2013 at 11:11 am
    Reply

    Because Unity 4.3 is in beta, this is a good opportunity to update the Unity Web Player to PPAPI.

    Google Talk and Google Earth Chrome plugins may be the first to convert to PPAPI after this announcement.

    And lastly Adobe and Google may be forced into talks about a PPAPI Flash plugin.

  5. smaragdus said on September 25, 2013 at 1:40 am
    Reply

    I have long ago banned Chrome and other Google products on my machine. I don’t get why one would use Chrome since it is worse even than IE.

  6. TheAslan said on September 24, 2013 at 8:32 pm
    Reply

    But how about Chromium, Chromiun does not have integrated Flash Player.

    1. Martin Brinkmann said on September 24, 2013 at 11:10 pm
      Reply

      No Flash then in Chromium.

  7. beachbouy said on September 24, 2013 at 8:16 pm
    Reply

    Isn’t this (the arrogance) one of the reasons everyone hated Microsoft’s Internet Explorer?? Keep it up, Google…

  8. Gonzo said on September 24, 2013 at 7:04 pm
    Reply

    Embrace, extend, extinguish Google style.

  9. GK said on September 24, 2013 at 5:31 pm
    Reply

    Well, this is why there are Chromium-based forks that add back the functionality removed. The need to use Firefox and Chrome forks will increase in the future as they need their way and no other way.

  10. EuroSceptiC.GRE said on September 24, 2013 at 4:20 pm
    Reply

    Very good choice. There’s no other way… This is how it’s done. Cut it once and for good… It’s the same situation many programs do not get better ’cause they have to maintain combatibility with older PCs and OSes ( XP ).

    Say, today all programs would be made for Win7 and newer and at least CPUs that support SSE2 and newer… Everything would be better.

    That’s what Google did… They said, “enough”. No more support, let’s move on…

    1. Ross Presser said on September 24, 2013 at 4:26 pm
      Reply

      Your position is so absurd it isn’t worth my time to rebut it.

  11. ilev said on September 24, 2013 at 3:51 pm
    Reply

    “Netflix needs to move away from using Silverlight for streaming to other technologies.”

    Netflix is dumping Silverlight in favour of html5.

    1. Ken Saunders said on September 26, 2013 at 4:35 am
      Reply

      Can you point me to a post on this please?
      never mind

  12. Ross Presser said on September 24, 2013 at 3:23 pm
    Reply

    “Adobe Flash in Chrome is not using NPAPI, but are integrated natively in the browser.”

    Chrome’s native Flash, known as “PepperFlash”, is atrocious (under Windows, at least; I understand that under Linux it is the only available version of Flash.) I regularly disable it and use “regular” flash on every single Windows machine I touch. When Chrome goes through with this, I will stop using Chrome permanently for entertainment purposes (I will continue to use it for work, unfortunately), switching to Firefox, and recommend the same to everyone I meet.

    1. ilev said on September 24, 2013 at 3:52 pm
      Reply

      “Adobe Flash in Chrome is not using NPAPI, but are integrated natively in the browser.”

      And so does IE on Windows 8/RT, with integrated Flash in browser.

  13. thebluejay said on September 24, 2013 at 2:51 pm
    Reply

    Incredible!

    Chrome has so many useful plugins that make it much easier to work with. For example, I use LastPass to store and enter passwords, Open New Page (With this extension, new tabs display a blank page instead of the usual new tab page with thumbnails,) and FLST Chrome (The primary feature provides natural tab ordering plus options for tab-flipping, new-tab focus, and new-tab positioning) which brings focus to any new tab opened – very handy.

    These, and others, are so useful to me that I am certain that I will leave Chrome for Firefox if and when the proposed changes come about. Much as I love Chrome, it just doesn’t work for me without the plugins!

    What a disappointment. Who had this stupid idea?

    1. Martin Brinkmann said on September 24, 2013 at 4:24 pm
      Reply

      They will keep extensions, only plugins get removed.

  14. Duckeenie said on September 24, 2013 at 2:39 pm
    Reply

    Ironic that they are leaving the Java plugin, which has more security holes than any other internet technology.

    Looking at the list of NPAPI plugins on my system, there is nothing there other than Chrome generic stuff. So I don’t forsee any issues with my own needs at least.

    1. Fernando Cassia said on September 24, 2013 at 9:23 pm
      Reply

      As of Java 7 update 25 the Java browser plug-in only NO LONGER RUNS UNSIGNED CODE automatically, and features “click to run” so the “security issues” (drive-by exploits) experienced before are a thing of the past.

      http://timboudreau.co/blog/The_Java_Security_Exploit_in_%28Mostly%29_Plain_English/read

      ActiveX is much more of a security hole, with “killbits” downloaded via WindowsUpdate almost every “patch tuesday” yet it doesn’t the same amount of scaremongering and FUD.

      FC

    2. Ross Presser said on September 24, 2013 at 3:33 pm
      Reply

      The blog post says Java is already blocked by default for security reasons. Users must explicitly enable it for every use on every page, as far as I know.

  15. Nebulus said on September 24, 2013 at 10:35 am
    Reply

    Typical Google arrogance: you manage to have a large part of the browser “market” and then you start trying to make the rules. I am sick of it.

    1. Peter (NL) said on September 24, 2013 at 1:03 pm
      Reply

      I agree. It looks like if Google wants to push (only) their own “standards” and its browser to the marketplace. I get the feeling that this is also a new tactic towards Microsoft, Netflix, etc. (Google TV, Chromecast).

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.