Google to ban all NPAPI browser plug-ins in Chrome in 2014
Plugins are one of the main sources for browser stability and security issues. This is especially true for plugins that are installed on nearly every computer system out there, such as Adobe Flash or Java.
The plugin system, the Netscape Plug-In API (or NPAPI) has been designed with good intentions and at a time where browser extensions and things such as HTML5 were not even on the radar yet.
Plugins are still widely used today, especially Adobe Flash as it is still the driving force behind most video streaming services, but also others such as Silverlight which is used by Netflix for the streaming of video or Unity for gaming.
Google just announced that the company will phase out all NPAPI-based plugins in the Chrome browser in 2014. It is a two-step process according to a post on the Chromium blog where Google engineer Justin Schuh explains the reasoning behind the move.
Phase 1: whitelist
Google's current plan is to start the first phase of the project in January 2014. This affects the stable channel of the browser at that time, and all but a selection of widely used plugins will be blocked in the browser automatically. According to Google, the plugins that won't be blocked at that time are:
- Microsoft Silverlight
- Unity
- Google Earth
- Java
- Google Talk
- Facebook Video
This is based on anonymous usage data that Google collects in the Chrome browser. Note that security has priority. This means that if a plug-in is blocked due to security reasons, it won't be available in the browser even if it has been whitelisted.
Options to enable other plug-ins will be provided in the short term, so that other plug-ins may be used in Chrome for the time being as well.
Phase 2: Plug-ins begone
Google will remove support for NPAPI before the end of 2014 from Chrome. This means that no plug-in that uses the API, not the whitelisted ones nor others, will work after that time in the browser.
This will affect existing NPAPI-based apps and extensions in Chrome's Web Store as well. Google gives developers time to update those apps and extensions until Max 2014. They are then removed from the Web Store home page, search and category pages, and unpublished in September 2014.
Flash?
Adobe Flash in Chrome is not using NPAPI, but is integrated natively in the browser. Flash in Chrome is not affected by this and will continue to work just like before. Google's implementation may miss a couple of features though and it is not clear if the company will integrate those before the "real" Flash is removed from the browser.
Closing Words
The announcement may have serious consequences for Internet companies. The Unity team for instance needs to find a way to bring the game engine to the Chrome browser without the use of plugins, and Netflix needs to move away from using Silverlight for streaming to other technologies.
While it is certainly possible to ignore the Chrome browser, it would be foolish for most businesses to do so, considering that it has a sizable share in the browser market.
Advertisement
i have played everything on chrome..now i have a problem with java…NO FAIR
I went to firefox,,but i love chrome…PLEASE BRING BACK JAVA WEATHER UPDATE OR NOT
How will this affect Javaws?
While I cannot say with 100% certainty, I would say it is not affected at all by this.
“If there’s a way for a site to take dependency on a browser quirk, and break if that quirk is removed, it will happen.†– -Eric Lawrence, Web Browser Legend.
Because Unity 4.3 is in beta, this is a good opportunity to update the Unity Web Player to PPAPI.
Google Talk and Google Earth Chrome plugins may be the first to convert to PPAPI after this announcement.
And lastly Adobe and Google may be forced into talks about a PPAPI Flash plugin.
I have long ago banned Chrome and other Google products on my machine. I don’t get why one would use Chrome since it is worse even than IE.
But how about Chromium, Chromiun does not have integrated Flash Player.
No Flash then in Chromium.
Isn’t this (the arrogance) one of the reasons everyone hated Microsoft’s Internet Explorer?? Keep it up, Google…
Embrace, extend, extinguish Google style.
Well, this is why there are Chromium-based forks that add back the functionality removed. The need to use Firefox and Chrome forks will increase in the future as they need their way and no other way.
Very good choice. There’s no other way… This is how it’s done. Cut it once and for good… It’s the same situation many programs do not get better ’cause they have to maintain combatibility with older PCs and OSes ( XP ).
Say, today all programs would be made for Win7 and newer and at least CPUs that support SSE2 and newer… Everything would be better.
That’s what Google did… They said, “enough”. No more support, let’s move on…
Your position is so absurd it isn’t worth my time to rebut it.
“Netflix needs to move away from using Silverlight for streaming to other technologies.”
Netflix is dumping Silverlight in favour of html5.
Can you point me to a post on this please?
never mind
“Adobe Flash in Chrome is not using NPAPI, but are integrated natively in the browser.”
Chrome’s native Flash, known as “PepperFlash”, is atrocious (under Windows, at least; I understand that under Linux it is the only available version of Flash.) I regularly disable it and use “regular” flash on every single Windows machine I touch. When Chrome goes through with this, I will stop using Chrome permanently for entertainment purposes (I will continue to use it for work, unfortunately), switching to Firefox, and recommend the same to everyone I meet.
“Adobe Flash in Chrome is not using NPAPI, but are integrated natively in the browser.”
And so does IE on Windows 8/RT, with integrated Flash in browser.
Incredible!
Chrome has so many useful plugins that make it much easier to work with. For example, I use LastPass to store and enter passwords, Open New Page (With this extension, new tabs display a blank page instead of the usual new tab page with thumbnails,) and FLST Chrome (The primary feature provides natural tab ordering plus options for tab-flipping, new-tab focus, and new-tab positioning) which brings focus to any new tab opened – very handy.
These, and others, are so useful to me that I am certain that I will leave Chrome for Firefox if and when the proposed changes come about. Much as I love Chrome, it just doesn’t work for me without the plugins!
What a disappointment. Who had this stupid idea?
They will keep extensions, only plugins get removed.
Ironic that they are leaving the Java plugin, which has more security holes than any other internet technology.
Looking at the list of NPAPI plugins on my system, there is nothing there other than Chrome generic stuff. So I don’t forsee any issues with my own needs at least.
As of Java 7 update 25 the Java browser plug-in only NO LONGER RUNS UNSIGNED CODE automatically, and features “click to run” so the “security issues” (drive-by exploits) experienced before are a thing of the past.
http://timboudreau.co/blog/The_Java_Security_Exploit_in_%28Mostly%29_Plain_English/read
ActiveX is much more of a security hole, with “killbits” downloaded via WindowsUpdate almost every “patch tuesday” yet it doesn’t the same amount of scaremongering and FUD.
FC
The blog post says Java is already blocked by default for security reasons. Users must explicitly enable it for every use on every page, as far as I know.
Typical Google arrogance: you manage to have a large part of the browser “market” and then you start trying to make the rules. I am sick of it.
I agree. It looks like if Google wants to push (only) their own “standards” and its browser to the marketplace. I get the feeling that this is also a new tactic towards Microsoft, Netflix, etc. (Google TV, Chromecast).