Justin Schuh, Security Engineer and Plug-in Retirement Planner for Google Chrome, said on Monday that browser plug-ins based on the popular Netscape Plug-in API architecture will be blocked starting next year. The roll-out will be in stages, with webpage-instantiated NPAPI plug-ins blocked by default on the Stable channel in January 2014.
The most popular NPAPI plug-ins used in the Chrome browser include Silverlight (15 percent), Unity (9.1 percent), Google Earth (9.1 percent), Java (8.9 percent and is already blocked by default), Google Talk (8.7 percent) and Facebook Video (6 percent). These will be temporarily white-listed to avoid disruption to users, he said, for an unspecified amount of time.
"The Netscape Plug-in API (NPAPI) ushered in an early era of web innovation by offering the first standard mechanism to extend the browser," Schuh explained. "In fact, many modern web platform features—including video and audio support—first saw mainstream deployment through NPAPI-based plug-ins. But the web has evolved. Today's browsers are speedier, safer, and more capable than their ancestors."
He said NPAPI's 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity. Because of this, Chrome will be phasing out NPAPI support over the coming year. In the short term, users and businesses will be able to white-list specific plug-ins, but eventually NPAPI support will be completely ripped out of the Chrome browser.
"We expect this to happen before the end of 2014, but the exact timing will depend on usage and user feedback," Schuh said. "Note that the built-in Flash plug-in and PDF viewer will be unaffected because they don't use NPAPI."
Google switched the Flash Player plug-in bundled with Chrome for Windows from NPAPI to a new plug-in architecture called Pepper Plugin API, or PPAPI, back in August 2012, and then made the switch in Chrome for Mac OS X one month later. Google's PPAPI forces plug-in code to run securely inside a sandbox, thus making Flash Player less susceptible to crashes.
As of Monday, the Chrome Web Store will be refusing new Apps and Extensions containing NPAPI-based plug-ins, and developers with current solutions offered on the platform will be able to make updates until they will be removed from the store's home page, search results and category pages in May 2014. In September 2014, all existing NPAPI-based Apps and Extensions will be unpublished. Installed Apps and Extensions will continue to work until support for NPAPI is removed at the end of 2014.
Schuh said developers relying on NPAPI can use alternatives where standard technologies are not yet sufficient, including NaCl, Native Messaging API, and Legacy Browser support. However, moving forward, the Chrome team is shooting to evolve the standards-based web platform to cover the scenarios currently served by NPAPI.
"We feel the web is ready for this transition," he said. "NPAPI isn't supported on mobile devices, and Mozilla plans to block NPAPI plug-ins in December 2013."
