Google Dropping Netscape Plugin API Support In Chrome/Blink

An anonymous reader writes "Google today announced it is dropping Netscape Plugin Application Programming Interface support in Chrome. The company will be phasing out support over the coming year, starting with blocking webpage-instantiated plugins in January 2014. Google has looked at anonymous Chrome usage data and estimates that just six NPAPI plug-ins were used by more than 5 percent of users in the last month. To 'avoid disruption' (read: attempt to minimize the confusion) for users, Google will temporarily whitelist the most popular NPAPI plugins: Silverlight, Unity, Google Earth, Google Talk, and Facebook Video." Google offers NaCl as an alternative, and "Moving forward, our goal is to evolve the standards-based web platform to cover the use cases once served by NPAPI."

"standards-based web platform"

[Daniel+Dvorkin]

Standards are wonderful, and everyone should have their very own!

Re:"standards-based web platform"

[K.+S.+Kyosuke]

NaCl is definitely better than NPAPI. Can you spell "sandbox"?

Re:"standards-based web platform"

[XanC]

That may be, but why don't we "evolve" this other thing to cover all the existing use cases BEFORE disabling NPAPI?

Re:"standards-based web platform"

[am+2k]

However, NaCl is definitely not a standard if it's only implemented in a single browser.

Btw, Unity3D already supports NaCl with the same license that supports the web plugin. Silverlight needs to die anyways, and two of those plugins are Google services.

Re:"standards-based web platform"

I don't know what the hell NPAPI is, but I'm sure NaCl is better on french fries...

Re:"standards-based web platform"

[KiloByte]

NaCl supports only a tiny subset of NPAPI functionality, it's also not portable beyond i386 and armel.

NPAPI is just as secure (or more often, insecure) as the browser itself. Some sandboxing is in theory good, but NaCl hardly brings anything you can't already do, at a speed and sanity penalty, in javascript.

At the moment I have only two plugins installed: Flash and DNSSEC Validator. Tell me how would you implement the latter without either arbitrary network access or calling out to the OS.

Re:"standards-based web platform"

[gl4ss]

can you sell properiaty.. because I sure can't!

why not sandbox npapi?(yeah yeah, full of problems to do that. but not that much more than nacl).

also where does this leave say, unity web player? is nacl available as feasible route for other browsers? is nacl even ready?

Re:"standards-based web platform"

[tepples]

NaCl supports only a tiny subset of NPAPI functionality, it's also not portable beyond i386 and armel.

To which still-manufacturer-supported platforms is NPAPI portable?

Re:"standards-based web platform"

Our company uses a NPAPI (and activex on IE) plugin to bridge between our website and users' TWAIN scanners/cameras.

It's a fucking shame that after all the *chans and flickrs and reddit over the last decade that none of the browsers (even on the pads) have an "acquire" button to go with their "browse" button on the file upload box.

Oh wait, there's now a javascript API that will work on about three phones to get video. Whoop de fuck you I'm out.

Re:"standards-based web platform"

Ordinarily I'd be critical of Google along these lines; but this time it's justified. The N stands for Netscape! This was cool technology when AOL and dial-up were a big deal. I even wrote some plug-ins myself. It was fun; but it's ancient. AFAIK, It was always a company protocol that just happened to get picked up by others. Did it ever go through a formal standardization process? I doubt it. IE apparently dropped it a long time ago, and Mozilla is dropping it.

Re:"standards-based web platform"

IE apparently dropped it a long time ago, and Mozilla is dropping it.

Someone should tell Mozilla that.

Re:"standards-based web platform"

The N stands for Netscape!

The same company that invented SSL and JavaScript? Yeah, no-one uses any of their stuff anymore, that's a perfectly good reason to get rid of it all by itself.

Re:"standards-based web platform"

[binarylarry]

I think you mean "Standard-esque"

Re:"standards-based web platform"

[oPless]

Last I looked, NaCl is moving to llvm bytecode, allowing on the fly JITting to x86, Arm, etc.

The only thing that'll be really annoying is there will be no way to access hardware directly. I wrote a PC/SC plugin ages ago to do just this.

I guess the only way there now would be writing a signed Java applet...

But wait ... I can't do that on OSX, because ... Chrome is a 32bit app!

Re:"standards-based web platform"

[Bobakitoo]

They will never update their NPAPI plugin while it is still working. Because if it work, don't fix it.

The NPAPI is only depreciate at this point; the summary state that the most common used ones are white-listed. It is therefore probably not impossible to custom white-list any if your specific need.

Re:"standards-based web platform"

[LordLimecat]

Isnt NPAPI just another "de facto" standard anyways? Pretty sure the "N" stands for "netscape", not "W3C" or "IETF" or "RFC".

Re:"standards-based web platform"

[manu0601]

Tell me how would you implement [DNSSEC Validator] without either arbitrary network access or calling out to the OS

It could be done at the level of the OS' DNS resolver, for the good of all applications, including browsers.

Re: "standards-based web platform"

So is it being renamed JITCl, as it won't be native anymore?

Re:"standards-based web platform"

[Gwala]

Unity3d may support NaCl; but it has a couple of glaring deficiencies - like a lack of network support (this is apparently a issue with the Pepper API not supporting it). The webplayer (NPAPI) version is unfortunately also a bit faster at runtime.

Re:"standards-based web platform"

Include -> Embrace -> Extend -> Extinguish. The internationally valid professional conduct for destructive business practices.

Re:"standards-based web platform"

[Blaskowicz]

Manufacturer of what?
There's flash plugin for sparc, but they stopped at version 11.2.202.223 while the current one on linux is 11.2.202.310
But surely there are other NPAPI plugins than Adobe ones, like the totem or mplayer plugins.

For a web browser, let's see iceweasel 17.0.9 :
amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 s390x sparc

Re:"standards-based web platform"

[michelcolman]

You know, NPAPI is dinosaur technology, everyone should have stopped using it years ago. Really, all the major companies have ported their stuff long ago, except for a few lazy holdouts who haven't bothered to do the work, like... errr... Google itself?

Re:"standards-based web platform"

[hobarrera]

Things can be de-facto standard, or formalized by an organization (like the ones you mentioned).
NPAPI is a de facto standard.
NaCl is not a standard at all, just a protocol a single vendor designed themselves and implemented.

Re:"standards-based web platform"

[Ash-Fox]

Really, all the major companies have ported their stuff long ago

I don't know. Most firm specific systems were never ported, they were always direct x. Popular plugins like Adobe Acrobat reader, Silverlight, Unity, Google Earth, Google Talk, Facebook Video and Adobe Shockwave still use NPAPI.

Can you even name as many just as popular or more popular plugins that have been ported?

Re:"standards-based web platform"

[Elbart]

And completely under Google's control. Coincidence?

Re:"standards-based web platform"

[TheRaven64]

Yup. It's a pretty horrible API to and has completely insane integration with both event delivery and drawing, which made sense when you were trying to squeeze the last possible bit of performance out of a 33MHz machine without double-buffered graphics but make absolutely no sense now. It definitely does need to be replaced, the problem is getting people to agree on what. Microsoft tried to make ActiveX a replacement, but no one else adopted it. The only reason NPAPI still survives is that it's the only way of making a plugin that all of the major browsers support. Maybe now Chrome market share is enough that they can make all of the plugin makers implement a new API. Or maybe plugins just aren't as important anymore...

Re:"standards-based web platform"

[michelcolman]

I was being ironic. Google is saying that the technology is obsolete, yet they are still using it themselves for Google Earth and Google Talk.

Re:"standards-based web platform"

[StripedCow]

http://xkcd.com/927/

Re:"standards-based web platform"

[fa2k]

NaCl is definitely better than NPAPI. Can you spell "sandbox"?

Unfortunately, the major purpose of plugins is to break out of the sandbox, to access things like sockets, webcams, local files, hardware information, etc. I haven't seen many plugins for the purpose of running speedy code.

Re:"standards-based web platform"

Google Talk itself is deprecated. I know because I prefer it to the program they replaced it with (the new one sucks hard, I had to go hunting on archive.org to find a link to the Google Talk installer).

Re:"standards-based web platform"

[fast+turtle]

Considering that RFC stands for Request for Cock/Cunt - I'd say that standard is part of the "GOD" standard. Otherwise you wouldn't be able to post on /. would you?

Re:"standards-based web platform"

[fast+turtle]

Plug-ins make no sense in light of HTML5 so even Googles NaCL isn't going to be useful for very long.

Re:"standards-based web platform"

Because when we don't force people to change, they don't change and complains for eternity, like what's going on with windows XP...

Re:"standards-based web platform"

[slash.jit]

So Google is the new Microsoft ?

Re:"standards-based web platform"

NPAPI isn't changing because nobody can do so unilaterally at this point. According to the Mozilla folks who've looked at it, PPAPI is basically exposing the guts of Chrome - i.e. don't expect too much API/ABI stability. In contrast, NPAPI is in theory backwards compatible. (In practice, lots of things broke when they moved to out-of-process plugins.)

They aren't evolving things because plugin hosts do not play well with others. (And I don't mean just the Chrome people.)

Re:"standards-based web platform"

That may be, but why don't we "evolve" this other thing to cover all the existing use cases BEFORE disabling NPAPI?

Because it has been feature-complete for nearly 2 years, but depends on third parties to port their code, which history has shown they are generally not willing to do until it is absolutely necessary.

No More Amazon music :-(

[greggman]

I use the AmazonMP3Downloader plugin so when I purchase music from Amazon it gets added to my music library immediately.

AFAIK PPAPI (and NaCl) can't implement that because they need to save the music to places outside the sandbox.

Maybe Google can help define a "download to music library" HTML5 API?

Re:No More Amazon music :-(

Huh? Can't they just let you download the mp3 file, save it to your music library?

Re:No More Amazon music :-(

[GigaplexNZ]

No. The music library is outside the sandbox.

Re:No More Amazon music :-(

The old fashioned way was that you'd just download + open a .amz file, and the mime handler for .amz would start the download. Not the most intuitive or streamlnied method from a novice user perspective, but it works.

Re:No More Amazon music :-(

[AmiMoJo]

If AmazonMP3Downloader ever gets popular enough to attract black hats who use vulnerabilities in it to pwn your computer you might change your mind about the value of giving plugins that level of access.

Re:No More Amazon music :-(

[greggman]

Agreed, Which is why I suggested there should be an HTML API for it. Then there will be no need for a plugin.

A pox on both houses.

[RamiKro]

NaCl is a good implementation of a terrible idea: i.e Running software in the browser is all kinds of wrong.

Re:A pox on both houses.

Damn straight. Never run software in the browser!

Rendering HTML? That's running software in the browser. Get rid of it - it doesn't belong in the browser!

Re:A pox on both houses.

[Blaskowicz]

Great idea, let's serve a html renderer in javascript to render a website in the browser in a consistent way and without extraneous features.

Re:A pox on both houses.

Wrong. The web browser was the application, and its sole job was to display (it wasn't "rendered" at the time) very simple static documents -- bold/italic/plain text, pics & links -- for viewing was its job, just as Microsoft Word does with .doc files. No inner application was needed, and I'm not sure where you got the idea that there was.

Re:A pox on both houses.

[TheRaven64]

No it isn't. NaCl is a great proof of concept. It shows that you can sandbox x86 apps using some static analysis of the binaries and a few other constraints (it also showed that segmentation support on modern x86 chips is pretty poor and terrible on Atom). The problem is that it only works on x86 binaries. What proportion of Web use these days is (ARM-based) phones and tablets? 20%? If you make something that only works for 80% (and falling) of your customers, then that's a problem.

PNaCl is promising, but it's currently in early draft stage. It hard-codes some things into the ABI too early and misses other important things (e.g. no mechanism for exceptions, and they're very difficult to implement correctly in a PNaCl model). And, unlike NaCl, PNaCl relies on a complex compiler being bug free for security, and we all know how well that worked out for Java...

If not NaCl or JS, then what?

[tepples]

NaCl is "running software in the browser". JavaScript is likewise "running software in the browser", so it appears you'd be against that too. Would you rather require every developer of an Internet-connected application to develop an app for Windows, develop an app for Windows RT, develop an app for OS X, develop an app for GNU/Linux, develop an app for iOS, develop an app for Android, develop an app for Windows Phone, develop an app for Wii U, develop an app for Nintendo 3DS, develop an app for PlayStation 3, develop an app for PlayStation Vita, and develop an app for Xbox 360?

Re:If not NaCl or JS, then what?

[Mitchell314]

Yes. More work to do / less efficient task making = more manpower needed to get jobs done = more demand for software development labor = better job prospects for me. :)

Re:If not NaCl or JS, then what?

[RamiKro]

Yes. I am against both. Cross platform programming as an Interpreter running in a sandbox (JavaScript) or a bytecode VM (Java, NaCl...) shouldn't be done through the browser.
The Internet should be slightly expanded HTML1 and CGI as far as I'm concerned. Maybe with an exception for audio\video if we can agree on a codec...

Keep application development and serving to the likes of Android's Play Store + Dalvik.

Re:If not NaCl or JS, then what?

[aitikin]

The Internet should be slightly expanded HTML1 and CGI as far as I'm concerned.

"No one will need more than 637 kB of memory for a personal computer..."

Re:If not NaCl or JS, then what?

LOL... You were going along fine until you said "develop an app for GNU/Linux". Yeah, right - like any web developer is going to create an app specially for that 1.3% market...

Re:If not NaCl or JS, then what?

and don't even get me started on the horseless carriages...

Re:If not NaCl or JS, then what?

[dreamchaser]

The Internet should be slightly expanded HTML1 and CGI as far as I'm concerned.

"No one will need more than 637 kB of memory for a personal computer..."

Apples and oranges. Having more RAM doesn't create a huge security risk like running code in a browser does.

Re:If not NaCl or JS, then what?

The Internet should be slightly expanded HTML1 and CGI as far as I'm concerned.

And by 'Internet' you mean the web?

Re:If not NaCl or JS, then what?

[LordLimecat]

Nothing stops you from only writing a webpage thats HTML1 with no JS; just dont be surprised when noone wants to visit it.

Re:If not NaCl or JS, then what?

Apples and oranges. Having more RAM doesn't create a huge security risk like running code in a browser does.

NaCI is a sandbox, the only outside call allowed are to its API. It is entirely possible that these API can be exploited, but then it could also be exploited from JavaScript. If you are against running JS, remember that HTML and CSS are a specialized form of code that is not immune to bug and exploit either. Also UTF-8 is not immune, YOU ARE NOT EVEN SAFE FROM YOUR TELNET WEB!

Re:If not NaCl or JS, then what?

[swillden]

LOL... You were going along fine until you said "develop an app for GNU/Linux". Yeah, right - like any web developer is going to create an app specially for that 1.3% market...

Unlike the blockbuster that is Windows RT.

Re:If not NaCl or JS, then what?

[RamiKro]

Even if the security issues could be put to rest, there's no justification for running applications in a document viewer.
If Google is so concerned with serving up cross platform applications, they can package a VM and an App Store along with their browser. They can even conceive of their own URI scheme that will pass requests to the App Store to download and initialize Apps on the VM.

Is it really too much to expect something better then serving GUIs the likes of Facebook and Gmail inside the browser?

Re:If not NaCl or JS, then what?

[tepples]

Yeah, right - like any web developer is going to create an app specially for that 1.3% market...

Some web browsers Launchpad.net (the Ubuntu bug tracker) is made for a fraction of that 1.3% market. Besides, for which free (as in at least beer) operating system should developers of client-server applications create the client side of said applications? Or why is it desirable that purchasing a copy of a Microsoft brand operating system or an Apple brand computer be a prerequisite to participation in the public sphere?

Re:If not NaCl or JS, then what?

[hairyfeet]

Exactly and for an example of what can happen look at the "Yahoo Porn Bug" in my journal, I had customers spamming the living hell out of everyone in their address books and all that took was a little code, a hidden iFrame, and a browser that runs the same permission level as the user, in that case Firefox.

Frankly the whole current system is just fucked up, you can have code from as many as a dozen different servers, splattered all over the planet, all just to load a single page. And as more and more websites go "Web 3.0 apps apps apps...did we mention we have apps?" the ability to block all that crap from God knows where diminishes. I think the problem is that JavaScript was just never built with security in mind, it was back in the day when organized cybercrime and the like was the realm of sci/fi and instead of starting over when the thing started getting unsafe we just put bandaids on the bullet wounds.

Re:If not NaCl or JS, then what?

Good thing no one asked you when designing the internet.

Re:If not NaCl or JS, then what?

[CommanderK]

Two words: Java applets. This is exactly how they work, and it's a mess. You have to start the JVM every time you load an applet (or load it with the browser and keep it around), and then the UI is a mess. JavaScript inside a browser (with access to the DOM) is so much cleaner and faster (relatively) than the previous mess that were applets. Also similar is Flash, but Adobe got Flash performance to a decent level. However, both Flash and Java applets are going away (for good reason), and the future is probably HTML5 + JavaScript.

Re:If not NaCl or JS, then what?

[RamiKro]

JavaScript was executed* over the course of two weekends so it was never built with much of anything in mind let alone security...

To be fair, the person in charge has repeatedly apologized and EcmaScript board members has explained both in public and in private that they all in agreement that JavaScript should be phased out and replaced completely.

Sadly, narrow business interests and squabbling amongst Microsoft, Mozilla and Google have been preventing any progress in the matter. Microsoft is pushing TypeScript, Google is pushing Dart, Mozilla is sticking to a EcmaScript for now... Mind you this is nothing new. Adobe's ActionScript is a JavaScript derivative born under similar conditions.

*designed would be a stretch...

Re:If not NaCl or JS, then what?

[_merlin]

Actually, the fact that HTML1 doesn't exist stops you. HTML2 was an attempt to document what browsers of the time rendered (i.e. it was descriptive, as opposed to the prescriptive HTML3 and later), but there was no HTML1.

Re:If not NaCl or JS, then what?

[RamiKro]

Why should I care about visits? I don't live off advertisements and page hits.
I'm interested in delivering information. A company's portfolio... A product's specifications... A personal contact page... A data sheet... Wikipedia with NoScript is done right as far as I'm concerned.

Re:If not NaCl or JS, then what?

[dark_glaive]

Web browsers may have one been document browsers but that isn't true anymore. Welcome to life. Stuff changes constantly.

Re:If not NaCl or JS, then what?

[sharklasers]

Presentation is highly important in this business. Like it or not, an attractive web site does wonders for the opinion of those who might stumble upon it. It does not have to be laden with graphics and other whiz-bang features that slow down the browser, but a boring page suggests a lack of bother and care by the company, which might translate into related opinions from those who browse the page.

Geeks continually misunderstand and downplay the significance of image. Humans are visual creatures - ignore this facet at your peril.

Re: If not NaCl or JS, then what?

LOL that is because any dumb motherfucker who styles themselves a "web developer" shouldn't be allowed to write code.

Re:If not NaCl or JS, then what?

[washort]

So you think the platform for useful apps should be owned by Google instead of being open to everyone?

Re:If not NaCl or JS, then what?

[Blaskowicz]

uh?
I ran a few java applets a few years ago, mostly one yahoo game. What was striking is how smooth the game's little 2D effects were, and it did not use a shit ton of CPU like flash and javascript do. Java is more akin to using a native app, UI can be anything non standard just like flash or elaborate websites. Starting the JVM was slow in 1997, but that long ago, plus we had mode PIO 16 hard drives and 120MHz CPUs.

A shame that Java was plagued with updating/installation and security issues.

Re:If not NaCl or JS, then what?

[khellendros1984]

there's no justification for running applications in a document viewer.

Except that most of the world finds it pretty convenient, and anything we've called a web browser in the last 15 years or so has been much more than a document viewer.

If Google is so concerned with serving up cross platform applications, they can package a VM and an App Store along with their browser.

They do. The V8 Javascript Engine is implemented as a VM. They include the Chrome Web Store in the desktop version of their browser as well. That doesn't mean that it's not beneficial to run apps delivered over the web in the browser, the way that every other vendor does.

Is it really too much to expect something better then serving GUIs the likes of Facebook and Gmail inside the browser?

And what's wrong with it? A sandboxed plugin API and Javascript VM makes more sense to me than downloading a native app to handle the same thing, and I down see a benefit to having a some kind of Net-VM app, separate from the browser, to run web apps in. Either way, you're still talking about running someone else's code. From that perspective, keeping the browser integrated with a sandboxed scripting and plugin environment makes more sense than any alternatives I've heard anyone propose.

Re:If not NaCl or JS, then what?

637k was never an option. It went by increments of 16k up to 64k, then in increments of 32k from there to 640k.

Re:If not NaCl or JS, then what?

JavaScript was executed* over the course of two weekends so it was never built with much of anything in mind let alone security...

To be fair, the person in charge has repeatedly apologized and EcmaScript board members has explained both in public and in private that they all in agreement that JavaScript should be phased out and replaced completely.

Sadly, narrow business interests and squabbling amongst Microsoft, Mozilla and Google have been preventing any progress in the matter. Microsoft is pushing TypeScript, Google is pushing Dart, Mozilla is sticking to a EcmaScript for now... Mind you this is nothing new. Adobe's ActionScript is a JavaScript derivative born under similar conditions.

*designed would be a stretch...

If "the person involved" was really sorry, he wouldn't have driven the recent FF change to make disabling the language harder.

Re:If not NaCl or JS, then what?

Running applications in a web browser wasn't part of Internet design, you idiot troll. The web didn't even exist when the Internet was born.

Re:If not NaCl or JS, then what?

[K.+S.+Kyosuke]

Having more RAM doesn't create a huge security risk like running code in a browser does.

Why would running code in a browser create a huger security risk than running code outside of a browser? If anything, the latter is more dangerous. The browser at least is expected to expose only a limited interface for the downloaded code to manipulate the state of your machine. Anything else is a bug.

Re:If not NaCl or JS, then what?

[K.+S.+Kyosuke]

there's no justification for running applications in a document viewer.

I'd violently disagree with the idea that the web should be a repository of documents for document viewers. Your comment essentially embodies all that is wrong with the web and the people who developed it. Alan Kay got it right and you didn't, deal with it.

Re:If not NaCl or JS, then what?

[K.+S.+Kyosuke]

Two words: Java applets. This is exactly how they work, and it's a mess. You have to start the JVM every time you load an applet (or load it with the browser and keep it around), and then the UI is a mess.

Aren't you confusing a good idea with a bad implementation here?

Re:If not NaCl or JS, then what?

[K.+S.+Kyosuke]

To be fair, the person in charge has repeatedly apologized

...which he even sort of didn't have to, because the management was to blame for the most part of the outcome.

Re:If not NaCl or JS, then what?

[FauxReal]

We should probably just go back to Gopher.

Re:If not NaCl or JS, then what?

[TheLink]

The real problem is everyone has been coming up with "Go buttons" but there was no decent "Stop button". So to stop some stuff but not others you have to make sure ALL the unwanted Go buttons" are not pressed. And that is not easy to do. Some people say "Use a library" the problem is how do you make sure future "Go buttons" that haven't been invented yet are not pressed either? And how about different browsers behaving differently?

So more than 10 years ago I proposed that a "Stop" "button" be created: http://lists.w3.org/Archives/Public/www-html/2002May/0021.html
http://www.mail-archive.com/mozilla-security@mozilla.org/msg01448.html

But there was no interest in such a thing till recent years with CSP: https://developer.mozilla.org/en/docs/Security/CSP

If the major browsers had implemented my simple suggestion years ago it would have been harder for the Yahoo, MySpace and other worms.

Re:If not NaCl or JS, then what?

[fast+turtle]

because the god damn browser wasn't expected or designed to run code originally. Just like PDF and all the extra crap Adobe keeps adding to Acrobat. The browser was designed as a Page Rendering/Document Veiwing Engine, not a god damn Turing complete OS like it is now.

Try running something like Dillo or Elinks that handles things properly - The browser is just a fscking document viewer and you'll see just how badly designed the web is.

It's the reason I use NoScript in Firefox and have it configured to Deny All by default plus I've gone through and un-trusted every fscking Certificate that's installed int the browser store (especially after the Diginotar incident). Hell I've only got a dozen certs I need to trust anyhow so why have the damn trust model that's being pushed down our throats by the Governments? Root CA's are no more trusted then any other by me. All they do is provide a chain of trust indicating that each company below Verisign has paid their "Dane Geld"

Re:If not NaCl or JS, then what?

[jones_supa]

Nothing stops you from only writing a webpage thats HTML1 with no JS; just dont be surprised when noone wants to visit it.

If it contained interesting stuff, HTML1 wouldn't stop me visiting it. Actually it might provide nicer experience than a modern web page which is surrounded with advertisement banners and various menus from every side.

Re:If not NaCl or JS, then what?

[CommanderK]

I also mentioned Flash, which was the same bad idea with a good implementation.

Re:If not NaCl or JS, then what?

Actually, the fact that HTML1 doesn't exist stops you. HTML2 was an attempt to document what browsers of the time rendered (i.e. it was descriptive, as opposed to the prescriptive HTML3 and later), but there was no HTML1.

HTML1 is the generally-accepted modern name for the format that was called "HTML" when it was originally designed, and is described in this document. Yes, it isn't a W3C recommendation, because W3C didn't exist when it was written. Nor is it an RFC, like HTML2 was. But that doesn't mean it didn't ever exist.

Re:If not NaCl or JS, then what?

[hairyfeet]

I didn't know that but after working corporate for several years it honestly doesn't surprise me. If the average person only knew how many major corps have just insane amounts of risky data, CC numbers, addresses and SSNs for example, being manipulated on some creaky as hell VB into Access DB cooked up over a couple of days by some guy that hasn't been with the corp in the better part of a decade? Or how many transmit the same risky data over the net to the main branch using some God Awful IE 6 ActiveX mess? Well I bet a LOT of folks wouldn't trust these companies as far as they could throw them.

But your post just supports what I've been saying for years, that JavaScript should have went the way of Gopher and somebody better, something designed from the ground up with security in mind, should have taken its place. I mean its insane the way websites are set up now, I have even seen CHECK OUT PAGES that had calls to third party ad servers! Talk about just asking for CC theft! But I have a feeling as long as the big three look at EVERYTHING as an excuse to try to get some lock in? we'll just keep putting bandaids on bullet wounds.

Re:If not NaCl or JS, then what?

[K.+S.+Kyosuke]

The browser was designed as a Page Rendering/Document Veiwing Engine

Uh...what? Have you actually seen WorldWideWeb? The only reason why virtually all later browsers were viewers-only was because the new guys found it "too difficult" to support the advanced features.

"anonymous Chrome usage data"

[oldhack]

That's why I don't use chrome. But firefox probably does the same.

Re:"anonymous Chrome usage data"

Tools -> Options -> Advanced -> Data Choices

That gives you decent control over the information sent to Mozilla. The "usage data" that you refer to (I believe this falls under "telemetry") is disabled by default on release builds on Firefox (enabled for in-development versions).

Re:"anonymous Chrome usage data"

Yes, it does:

https://wiki.mozilla.org/Telemetry

If Google can offer NaCl, they...

[EzInKy]

...can also offer pepper. Seriously, this is crazy. Everyone knows Google won't do no evil.

Re:If Google can offer NaCl, they...

Nowhere in the article does it say that pepper (ie. PPAPI) is going anywhere. You'll note that the built in flash and PDF viewer don't use NPAPI

Re:If Google can offer NaCl, they...

Oh, another thing. NaCl is actually based on NPAPI, probably wouldn't run quite so well without it.

Re:If Google can offer NaCl, they...

Nowhere in the article does it say that pepper (ie. PPAPI) is going anywhere. You'll note that the built in flash and PDF viewer don't use NPAPI

PPAPI needs to die in a fire, or at least stop being 1/3 slower than NPAPI. It is a serious performance hit to Flash games. I end up disabling it every time they re-enable it.

Re:If Google can offer NaCl, they...

[Carewolf]

Well NaCl it is one small corner of the bloated corpse of that is PPAPI.

Re:If Google can offer NaCl, they...

[jones_supa]

Nowhere in the article does it say that pepper (ie. PPAPI) is going anywhere. You'll note that the built in flash and PDF viewer don't use NPAPI

I think he was making a salt & pepper joke.

Chrome native messaging

[tepples]

I use the AmazonMP3Downloader plugin so when I purchase music from Amazon it gets added to my music library immediately.

AFAIK PPAPI (and NaCl) can't implement that because they need to save the music to places outside the sandbox.

AmazonMP3Downloader could be split into a part that runs inside Chrome and a separate process that downloads the file, and the two parts would communicate with Chrome native messaging. It's like when Windows Vista came out: applications that needed to run in the background with administrative privileges needed to be split into an elevated service and a not-elevated GUI.

Re:Chrome native messaging

[greggman]

Yea, that would work. So would a little local server (scary).

I still think I'd prefer an HTML5 Media Library API. Every piece of native code you ask users to install is yet another vector for trojans and viruses. If Amazon has to write one so will Barnes and Noble, Beatport and any other site that wants to let you download music, videos, books, etc directly into your OS's folders for those things.

Re:Chrome native messaging

[tepples]

Every piece of native code you ask users to install is yet another vector for trojans and viruses.

This is true whether Amazon MP3 Downloader/Cloud Player is an NPAPI plug-in or a separate process, so I don't see the difference.

Embrace, Extend, Extinguish?

Mark my words: Chrome is going to end up being a second IE 6-like millstone around the IT industrys neck. We are already seeing web sites that only work in Chrome (and Safari, if you're lucky). Firefox, IE (!), and whichever intrepid fourth party browser engines still exist on the periphery, will be reduced to second-class citizens..

Re:Embrace, Extend, Extinguish?

[LordLimecat]

Chrome renders with Webkit, which is used by multiple browsers. Its also one of the most standards-compliant engines out there; if Firefox / IE arent rendering a page and Chrome (webkit) is, thats probably a deficiency in those browsers' engines' standards support.

Re:Embrace, Extend, Extinguish?

[Rockoon]

IE used to be the most standards compliant browser out there too...

..then Netscape usage share dropped to single-digit percentages

..then IE stagnated

Re:Embrace, Extend, Extinguish?

[mrbester]

Chrome uses Blink nowadays, unless you're on iOS

Re:Embrace, Extend, Extinguish?

[BZ]

Actually, WebKit cuts corners on standards a lot more than Firefox and IE do. For example, the official CSS 2.1 test suite from when the standard was finalized two years ago shows WebKit passing about 89% of the tests (for comparison, Firefox passed about 97%).

If Firefox/IE aren't rendering a page and WebKit is, it's almost always because the page author has written WebKit-specific code (e.g. used -webkit CSS prefixes on properties that are supported without a prefix in other browsers).

What WebKit and especially Chrome _does_ have is much better marketing. Not least because they have a much larger marketing budget than, say, Mozilla. Sadly, their marketing is working well on you.

Re:Embrace, Extend, Extinguish?

[Lehk228]

I have not seen a page that firefox doesn't render correctly since it was called firebird.

my fiance insists on using chrome despite constantly having weird issues with it.

Re:Embrace, Extend, Extinguish?

[dkf]

If Firefox/IE aren't rendering a page and WebKit is, it's almost always because the page author has written WebKit-specific code (e.g. used -webkit CSS prefixes on properties that are supported without a prefix in other browsers).

The problem isn't using browser-specific extensions. The problem is that the page doesn't work without them. What's really wanted is a way to tell a browser to disable all vendor-specific extensions and to have everything be according to standard (or disabled) so that authors can check their stuff ahead of time.

Checking stuff ahead of time? Hah! I can dream...

Re:Embrace, Extend, Extinguish?

Chrome renders with Blink, which they forked from webkit some time ago, Opera moved to Blink also, leaving webkit pretty much in the hands of Apple.

Google is best avoided, period.

Google is actually a sanitized spinoff of a "no such agency" project.
Come on, you didn't REALLY believe that Brin and Page were two
clever boys who came up with this stuff on their own, did you ?
Anyone with a brain knows this is improbable in reality.

Every time you use Google for any reason or any purpose, you
are tracked and the data can be used for reasons you may not
even be able to imagine until it is too late. Sure, you think you
don't break any laws, and you may also believe that your life is
boring and as non-controversial as it gets. But when someone
who has the power to access the data decides you need to go down,
the data can be used to paint all sorts of pictures, such that when the
black Suburban comes to take you away, even your closest friends
and neighbors will be persuaded that they "never really knew you" and
that "it's a good thing you were caught before you did anything worse than
you had already done".

You can all laugh now. But rather than laugh, I suggest you watch the movie "Das Leben
des Anderen" ( "The Lives of Others" ). That movie will give you a good idea of what the
masses in the US have to look forward to as the US government takes action to make sure
that no one will resist its ever more insane foreign and domestic policies.

Re:Google is best avoided, period.

[jones_supa]

I think it's the "many people would give up their civil rights for a pint of beer" problem. We use Google products because they are nice and get the job done. Same reason why people use Facebook despite the datamining. Same reason why people get games from Steam despite the DRM. It's not a good thing, but I believe this is the reason. You don't feel the wrath of the evil parts in the typical day-to-day user experience.

The new IE is here

[Billly+Gates]

More and more Chrome is reminding me of IE from the humble IE 4 which was the best browser to the jaguarnut of IE 6 which still has not completely died off yet in China and some corporate portals.

Chrome rushes to throw HTML 5 and CSS 3 features not standardized on W3C so they can pass HTML5test and calls them HTML 5 and CSS 3 but really are made just like box model and CSS were invented by IE. The W3C in the end decided to make it a little different which is why when Firefox went one way the corps hung onto IE 6 instead.

This NACL and plugins is all 21st activeX to me. If MS did this for IE 11 everyone would be screaming bloody murder.

Re:The new IE is here

I see we are not letting a mere lack of knowledge be any impediment to voicing opinions tonight.

Re:The new IE is here

[gQuigs]

Are you sure that's your sig (Save IE6), or was that the end of your argument :)

Re:The new IE is here

[VortexCortex]

More and more Chrome is reminding me of IE from the humble IE 4 which was the best browser to the jaguarnut of IE 6 which still has not completely died off yet

I see we are not letting a mere lack of knowledge be any impediment to voicing opinions tonight.

Well, I've been developing "web services" since before the web existed (BBS networks), all the way up to HTML5 and beyond, with bleeding edge browser features pre-standardization, so let me weigh in on the issue:
/me shudders.

Re:The new IE is here

[pentadecagon]

Except that Google makes everything free and open, everybody is invited to copy it. There is nothing else they can do, short of bribing standard bodies.

Re:The new IE is here

[StripedCow]

From the NaCl FAQ:

Is Native Client open? Is it a standard?
Native Client is completely open: the executable format is open and the source code is open. Right now the Native Client project is in its early stages, so it's premature to consider Native Client for standardization.

You think that NaCl might lock you in to some proprietary standard, but the complete opposite is true: if you want, you can build your own version of HTML and CSS in NaCl, or build your own programming language. Hell, you can build a browser in NaCl.

Re:The new IE is here

[Richard_at_work]

Where is the patent waiver?

Re:The new IE is here

[knarf]

the jaguarnut of IE 6

Elephant bollocks. I guess you meant juggernaut? No nuts there but more to the point.

Re:The new IE is here

[dave420]

Then you're aware that there have been plenty of "standards" which have been adopted before standardisation, which varied across browsers. Waiting for standardisation would keep the web years behind where it otherwise could be, with the only headache being cross-compatibility shims, which are getting more and more powerful and easy to use with each generation of browser.

Hindsight is 40/40

Gee, thanks Google. You get a bunch of people addicted to your tech with promises of openness, standards, and "not being evil" and then you use it to foist your own unpopular tech on everyone. For what it's worth, I hope your hubris comes back to bite you in the ass, as it should with all of the "open standards" you're trying to spring on everyone as quickly and rudely as possible. I guess they feel as invincible as Microsoft did in the 90s with Explorer.

Re:Hindsight is 40/40

Gee, thanks Google. You get a bunch of people addicted to your tech with promises of openness, standards, and "not being evil" and then you use it to foist your own unpopular tech on everyone.

What you are ( quite rightly ) complaining about is a tech industry version of imperialism.

If you want to feel better, take a look at the history of pretty much any empire. They all
overreach, and this inevitably leads to their downfall. It is the cycle of life of
entities who allow emotions rather than intellect to rule their political and / or
business decisions.

                                                                                                                                        - Z

( captcha = inbreed
Can that really be an accident ? I think not. )

Does this mean I will lose LASTPASS?

[mlawrence]

I simply cannot function without that browser add-on. Why is Google doing this? I will be forced to switch browsers. :(

Re:Does this mean I will lose LASTPASS?

[gl4ss]

dunno why lastpass would need npapi. I don't use it, but I would guess lastpass acts more as a browser plugin, in the sense that it is a plugin for the browser and not a plugin for handling elements on the page that the page creator declared that plugin would handle(like a box on the page that's supposed to show a flash animation).

Re:Does this mean I will lose LASTPASS?

lastpass uses chrome's own internal browser extension api

Re:Does this mean I will lose LASTPASS?

No, it doesn't. LastPass does not use NPAPI.

Re:Does this mean I will lose LASTPASS?

They're phasing NPAPI out starting next year. So either LastPass will need to make a NaCl plugin or Google should add LastPass to their whitelist to avoid a backlash.

Re:Does this mean I will lose LASTPASS?

So either LastPass will need to make a NaCl plugin or Google should add LastPass to their whitelist to avoid a backlash.

Or do nothing, since, you know, they don't use NPAPI.

I find it telling

[msobkow]

I find it telling that even Google Earth doesn't use NaCl yet.

Chrome Web Store

[tepples]

If Google is so concerned with serving up cross platform applications, they can package a VM and an App Store along with their browser.

Chrome Web Store already exists on desktop versions of Chrome.

Re:Chrome Web Store

[RamiKro]

As part of Chrome. Using the browser's own APIs.
Similarly, you can use Mozilla's Marketplace in the desktop version of Firefox... Like I said earlier, a pox on both houses.

A round-trip and full reload for each click

[tepples]

The Internet should be slightly expanded HTML1 and CGI as far as I'm concerned.

Usability would be horrible. For example, web-based paint programs can currently use HTML5 Canvas, SWF, or Java. But without any sort of client-side scripting, they would have to use a server-side image map and make a round-trip for each click on the image. And imagine how much longer Slashdot comment pages would take to update if every time you expanded or collapsed a comment, the server had to resend the full text of all other comments.

Re:A round-trip and full reload for each click

[RamiKro]

I'll ignore the web-based X programs issue since I've already mentioned I'm against serving application inside the browser.

As for the Slashdot comments, Slashdot should be an App. In fact, Slashdot is a prototype for apps like feedly.
Though the comments could still be served as read only on the html side... Somewhat like email lists archives.

Re:A round-trip and full reload for each click

[tepples]

As for the Slashdot comments, Slashdot should be an App.

There already was an app: the NNTP news reader. But no ISPs provide NNTP service anymore. So for which platforms would the Slashdot app be made available?

Re:A round-trip and full reload for each click

[RamiKro]

What's wrong with using a simple, RESTful, HTTP API? You can even support a JavaScript client using the same client.

Re:A round-trip and full reload for each click

[RamiKro]

same client's API...

Re:A round-trip and full reload for each click

Yes. The point is those applications would simply not exist! They're useless, this shouldn't be what the web is for

Re:A round-trip and full reload for each click

Independent ISPs (not the big ones owned by media companies) often *do* provide NNTP service, actually -- but they don't usually make a big deal out of it, and potential users have to either use the physical phone book's whitepages, BroadbandReports, or web searching to discover they exist. Sonic.net (California) and DSL Extreme (national wide-metropolitan) both do, just to name a couple offhand.

(Posting anon due to the stupid "you can post and moderate in the same discussion, but only if you hide who you are" rule.)

Re:A round-trip and full reload for each click

[AmiMoJo]

My ISP provides usenet servers. Keeps some major bandwidth inside their network.

The problem with usenet is that it's a free-for-all, no moderation. Slashdot is actually a really good example of how the web improved internet based discussion groups.

Re:A round-trip and full reload for each click

[tepples]

What's wrong with using a simple, RESTful, HTTP API?

What's wrong is the difficulty of getting your application approved by Apple, Microsoft, Nintendo, and Sony.

Re:A round-trip and full reload for each click

And imagine how much longer Slashdot comment pages would take to update if every time you expanded or collapsed a comment, the server had to resend the full text of all other comments.

Usually I just fetch and expand all comments before I start reading, it's far less annoying. Are you telling me that some people actually like this Ajax abomination?

(Note: not saying that Ajax itself is an abomination, just Slashdot's use of it.)

Re:A round-trip and full reload for each click

[tepples]

Paint chat, or virtual whiteboard, is the multi-user evolution of oekaki. If the web is not for long-distance visual collaboration, then what is?

Re:A round-trip and full reload for each click

The web? We're taling about HTTP and HTML, not the web. You can accomplish these tasks perfectly well without HTTP or HTML, and do a much better job might I add

Re:A round-trip and full reload for each click

[tepples]

We're taling about HTTP and HTML, not the web.

What's the difference between the HTTP and HTML on one hand and the web on the other?

Re:A round-trip and full reload for each click

The web is a global network of interlinked computers. HTTP is a protocol used to transfer HTML over (usually)TCP over (usually)the web.

Quake Live

[DudemanX]

Quake Live runs their engine through a NPAPI plugin. They're supposed to port that to NaCl just for Chrome users? More likely they'll just not support it and ask people to switch to Firefox.

Re:Quake Live

[msobkow]

You still play Quake?

How... quaint.

Re:Quake Live

Quake Live was released in 2010, so it is indubitably retro.

Re:Quake Live

[jones_supa]

You still play Quake?

How... quaint.

Hey, why not! I support the idea that games from any era can be played at any time. BTW Quake 3 Arena was still the game used for tournaments held at QuakeCon 2013. Playing both old and new stuff makes a nice mix of entertainment.

Torture....

[wbr1]

Google once again shuts down a service/feature, but this time they have the audacity to rub NaCl in the wound. That burns, it really does.

Re:Torture....

[phantomfive]

What's wrong with NaCl? Serious question.

Re:Torture....

[wbr1]

Um.. NaCl == Table Salt. Salt in a wound?

5% is irrelevant number.

It is odd that google quotes those stats from the article.
The stat that actually matters in a decision like this, is the percent of users who rely on a plugin. 1000 plugins used by .5% of the user base a piece can be significant.

It is strange that a data driven company would quote data that is irrelevant to the matter.

Enterprise apps

What about all the enterprise apps built in Java? This means we wont be able to use Chrome. Google loses by this move.

Lost Years of My Life to NPAPI

[glennrrr]

I used to have a programming job which involved maintaining a large C++ codebase which was shipped as a Windows desktop app, a Mac desktop app, NPAPI plugins on both Windows and Mac, and an Active X control. As it was written before 'modern' Mac NPAPI, you can imagine how ridiculously convoluted it was converting the Mac plugin to support such necessities as Core Animation layer rendering, and the sandboxed event handling that Safari moved to as an attempt to make NPAPI plugins secure. So I spent literally years trying to keep that sinking boat afloat when it was obvious we needed a Javascript/web app replacement product.

5%

[Hypotensive]

"I know, we'll just throw away 5% of our installed users."

You would have thought that Google would have heard of the long tail...

What about NPAPI Flash?

PPAPI Flash uses significantly more CPU and is prone to lag, even on my fairly new (Sandy Bridge) laptop. I've been keeping it disabled and using NPAPI Flash, but it looks like my Mom's computer will be fucked soon :( I'll have to switch her back to Firefox when the time comes.

"standards"

[hobarrera]

It's not a standard just because you publish the documentation. Or can I make the Hugo-Plugin-Standard now?

Google is just being a bully because of it's position. "Adopt our made-up standards, or don't interact with us."

Hello Mozilla!...

... I'm sure you were expecting it!

Mozilla's betting on Javascript, with Emscripten, asm.js, etc. and refuses to support NaCl (just like they wouldn't allow h264, until it became clear that Google fucked them with their webm promises).

The question is, how long until Firefox supports NaCl?

3 months or 3 years?

I foresee my life becoming hell

[sabbede]

I support a number of real estate offices, and the agents in those offices use a pair of MLS websites, both of which are written in flash. For continually varying reasons, there are compatibility issues with Chrome's (and now IE's) built in flash players. Now, I'm sure that Adobe will eventually have an NaCL plugin, but all I thought when I read this article was, "Oh crap. As if reInsight wasn't my nightmare already..."

Salt in the wound!

So now instead of writing/porting a plug-in to one API, you now have to do it for two. Not only do I bleed, but Google has poured NaCl in the wound.

VMWare

[brunes69]

This is going to make the VMWare browser-based console not functional, which was the only way to manage your VMWare instances in linux.... super.

Re:VMWare

[afidel]

Linux isn't supported in 5.5 anyways since they upped the flash version requirement to greater than the last version available for Linux.

Re:Next Page Google can take from MS

[bussdriver]

How do you think MS was able to fast track Office XML into an ISO standard?

Some "standards" don't happen without force.

Good

Plugins, whether NPAPI, ActiveX, or NaCL, should all die a horrible death.

You have HTML, HTML5, and JavaScript. That covers a heck of a lot these days; anything else and you can make a standalone app that I can run when I choose.

I meant "not PowerPC Macs"

[tepples]

Manufacturer of what?

Manufacturer of the computer. Mostly I was trying to exclude PowerPC Macs from a discussion of the future direction of NPAPI.

amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 s390x sparc

Now let me rephrase my question: For which of these platforms are NPAPI plug-ins still released?

Re:I meant "not PowerPC Macs"

Now let me rephrase my question: For which of these platforms are NPAPI plug-ins still released?

Like he said, if you could be bothered to read what you're replying to.

Re:I meant "not PowerPC Macs"

Manufacturer of what?

Manufacturer of the computer. Mostly I was trying to exclude PowerPC Macs from a discussion of the future direction of NPAPI.

amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 s390x sparc

Now let me rephrase my question: For which of these platforms are NPAPI plug-ins still released?

Obviously amd64, i386 and the variants of it listed are. Also armel (and armhf, which is backwards compatible with armel but adds usage of hardware floating point) and sparc. Other plugins may support other architectures, but these platforms have Oracle-supported versions of the Java plugin available.

Scanning was Re:"standards-based web platform"

[bsmedberg]

Scanner support for is on my short list of things to implement in Firefox, along with webcrypto so that sites stop using Java for its crypto library. I'd love help with it for anyone who is interested.

Appeal to tradition fallacy

[tepples]

Why would running code in a browser create a huger security risk than running code outside of a browser?

because the god damn browser wasn't expected or designed to run code originally

Expecting the current version of a computer program to be no larger in scope than the first version is a form of the appeal to tradition fallacy.

Re:Appeal to tradition fallacy

[K.+S.+Kyosuke]

Expecting the current version of a computer program to be no larger in scope than the first version is a form of the appeal to tradition fallacy.

It gets worse: the old version was much better.

Has Oracle commented on this?

Has Oracle commented on this? I've been trying to find a response all week but so far no luck finding anything. Basically has Oracle given up on java for front-end (applets) completely?