Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Will Block All NPAPI Plugins By Default In January

Posted by samzenpus on from the end-of-the-line dept.

An anonymous reader writes Google today provided an update on its plan to remove Netscape Plugin Application Programming Interface (NPAPI) from Chrome, which the company says will improve the browser's security, speed, and stability, as well as reduce complexity in the code base. In short, the latest timeline is as follows: Block all plugins by default in January 2015, disable support in April 2015, and remove support completely in September 2015. For context, Google first announced in September 2013 that it was planning to drop NPAPI. At the time, Google said anonymous Chrome usage data showed just six NPAPI plugins were used by more than 5 percent of users, and the company was hoping to remove support from Chrome "before the end of 2014, but the exact timing will depend on usage and user feedback."

54 of 107 comments (clear)

  1. Which 6? by Snotnose · · Score: 1

    If I knew which 6 NPAPI plugins were used I'd know if I cared or not.

    1. Re:Which 6? by jandrese · · Score: 4, Informative
      From the link:

      Silverlight (launched by 15 percent of Chrome users last month).
      Unity (9.1 percent).
      Google Earth (9.1 percent).
      Java (8.9 percent, but already blocked for security reasons).
      Google Talk (8.7 percent).
      Facebook Video (6.0 percent).

      Silverlight is in that list thanks to Netflix, but Google got HTML5 video working for Netflix so that should drop off of there. Google Earth seems like something Google can fix as well. Same with Google Talk.

      Unity, Java, and Facebook Video might be problematic however. I guess we'll have to wait and see if Chrome users are important enough for the respective companies to redevelop their plugins.

      --

      I read the internet for the articles.
    2. Re:Which 6? by Guspaz · · Score: 1

      Those percentages are out of date. The percentages from the latest update are:

      Silverlight (11 percent of Chrome users, down from 15 percent)
      Google Talk (7 percent of Chrome users, down from 8.7 percent)
      Java (3.7 percent of Chrome users, down from 8.9 percent)
      Facebook Video (3 percent of Chrome users, down from 6 percent)
      Unity (1.9 percent of Chrome users, down from 9.1 percent)
      Google Earth (0.1 percent of Chrome users, down from 9.1 percent).

    3. Re:Which 6? by Pope+Hagbard · · Score: 1

      Talk won't be fixed. It's been deprecated in favor of Hangouts.

    4. Re:Which 6? by Actually,+I+do+RTFA · · Score: 1

      Just six plugins are used by more than 5% of users doesn't seem to be that significant. After all, 1000 plugins used by 1% of users will have far more impact than that.

      Also, I do wonder if there is a correlation between people who use more plugins, and those who opt not to send anonymous data in.

      --
      Your ad here. Ask me how!
    5. Re:Which 6? by Chrisq · · Score: 1

      too bad hangouts is a piece of shit. fuck google.

      Nut then so was google talk. It seems like a like-for-like replacement

    6. Re:Which 6? by jones_supa · · Score: 1

      Uuhh, nerd rage. Sent from mother's basement and spoken out with a nasal "young Bill Gates" voice.

    7. Re:Which 6? by IamTheRealMike · · Score: 1

      Yes, but exploited browser rendering engines have been a large source of infections too. Sandboxing mobile code is just really hard. However the web is indispensable whereas Java applets aren't, so Java is the one that gets thrown out.

      I suspect there isn't any way to build support for Java applets that satisfies Google's policies, therefore, they will end up being restricted to other browsers for the small number of people who need them (mostly enterprise apps).

      These days the Java sandbox is actually a lot better than it used to be. Last I heard there had been no zero days this year at all. However, the Java update story still sucks, and Sun/Oracle have made Java supremely unpopular on Windows thanks to the crappy update nags and bundled adware. So nobody will be sad to see it go. Java is moving to JRE bundling for distributed apps anyway: I've written one with the new tools and it basically works like a regular desktop app, with a native installer / package on each major platform.

    8. Re:Which 6? by Anonymous+Brave+Guy · · Score: 1

      This is all too true, unfortunately. Java plug-ins have become increasingly obnoxious about security in recent releases, to the point that software that used to work just fine is now very awkward to use, and both Google and Oracle keep saying things that boil down to "we'll stop it completely, sometime, maybe".

      What everyone seems to forget is how many serious/critical vulnerabilities quietly get patched in the major browsers each update. Go ahead and check the change logs. Thinking browsers themselves won't simply take over as the target as they incorporate some of these new features directly is like thinking you're immune to malware because you run Linux.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    9. Re:Which 6? by AmiMoJo · · Score: 1

      Chrome is the dominant browser now, so it's more a question of if those plug-ins are important enough to be redeveloped for the majority of users.

      The replacement API has been around for ages, and is much more secure. If I used any of those plug-ins I'd be demanding they get upgraded for my own protection, or stop using them.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re:Which 6? by style7711 · · Score: 1

      Ouch! I use java and silverlight daily.

    11. Re: Which 6? by Dishevel · · Score: 1
      Good thing you did not start working on the problem over a year ago when they announced they would be doing this.

      Now you can be all surprised and put upon by evil Google.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    12. Re: Which 6? by doccus · · Score: 1

      Hmmm.. and how many of these plugins are actually Google apps? Like.. "Oh man what are we going to do today to piss people off and show how many defenseless babies we can kick to the curb?" "I've got it.. lets kill Google Earth"

  2. Which plugins? by rduke15 · · Score: 1

    So, which plugins does this really affect?

  3. Why Chrome when you can use Chromium? by Teun · · Score: 1, Interesting

    An honest question, why use Chrome when you can also use Chromium and not be 'the product'?

    I'll stick with Firefox.

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    1. Re:Why Chrome when you can use Chromium? by farble1670 · · Score: 1

      https://code.google.com/p/chro...

      looks like there's little difference two me. you are only the product if you sign in to google, which is true of whatever browser you choose.

    2. Re:Why Chrome when you can use Chromium? by afgam28 · · Score: 1

      An honest question: if you don't want to be "the product" then what are you doing here? How do you think Slashdot makes its money?

    3. Re:Why Chrome when you can use Chromium? by pandronic · · Score: 1

      Firefox for Android is really good.

    4. Re: Why Chrome when you can use Chromium? by mwvdlee · · Score: 1

      I can haz both!
      Use Google and its ilk for 99.9% of my daily activity, use privacy-respecting tools for the remaining 0.1% that requires privacy.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    5. Re:Why Chrome when you can use Chromium? by jones_supa · · Score: 1

      I suspect Dice doesn't do nearly as much datamining as Google.

    6. Re:Why Chrome when you can use Chromium? by mister_playboy · · Score: 1

      Google has never provided binaries on their Chromium site and that has always seemed like a very deliberate choice to deter would be users.

      To run Chromium (on Windows) you must to dig through third party sites which may or may not have the latest version of Chromium available and may or may not bundle adware garbage installers.

      Chrome binary download links, in contrast, are featured prominently on many sites. It is heavily advertised.

      --
      Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
    7. Re:Why Chrome when you can use Chromium? by JackieBrown · · Score: 1

      Google has never provided binaries on their Chromium site and that has always seemed like a very deliberate choice to deter would be users.

      To run Chromium (on Windows) you must to dig through third party sites which may or may not have the latest version of Chromium available and may or may not bundle adware garbage installers.

      Here you go...
      https://download-chromium.apps...

      This is the raw build of Chromium for Windows x86, right off the trunk. It may be tremendously buggy.
      created by François Beaufort - now maintained by the Chromium team

    8. Re:Why Chrome when you can use Chromium? by afgam28 · · Score: 1

      I suspect they do some, but either way you're still "the product". Or is it more about privacy (which is a totally different thing from being exploited)?

  4. What's amazing... by swillden · · Score: 1

    What's amazing is that this 1996-era hack for extending the functionality of the Netscape browser, in a rather kludgy and unsafe way, still exists at all in 2014. I took a class at the Netscape office in Mountain View in 1997 to learn how to write NPAPI plugins and thought then that it was an ugly hack that deserved to go way soon, though I was glad it existed to solve my immediate problems. Not only did it not go away (though MS removed NPAPI support for IE a long time ago), nearly all major browsers today still support it.

    Good for Google for deprecating this crap. Firefox (which is to some degree a descendant of Netscape) has also been reducing its support, per the WP article.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    1. Re:What's amazing... by Curunir_wolf · · Score: 1

      wait...since when did IE ever add NPAPI support? It was all ActiveX for them.

      Yes, but they have an ActiveX control that runs the NPAPI container. :P

      --
      "Somebody has to do something. It's just incredibly pathetic it has to be us."
      --- Jerry Garcia
    2. Re:What's amazing... by ProzacPatient · · Score: 1

      If I'm not mistaken IE supported NPAPI up to version 5.5 and it was removed in the infamous version 6.

  5. Re:Already making waves by AaronLS · · Score: 1

    Chrome 64bit didn't support NPAPI and so WebEx didn't work for me, but in last couple weeks they recently completely redid WebEx plugin and now it works. I assume they now have a non-NPAPI dependant plugin. I may be mistaken though.

  6. Cross browser alternatives? by AaronLS · · Score: 1

    I know NPAPI wasn't exactly the most elegant thing, but at least it was supported by a few major browsers. Are there any good plugin API alternatives that are cross browser? Or is everyone having to implement a version of the plugin for each browser using whatever API that browser has decided to support?

    1. Re:Cross browser alternatives? by Pope+Hagbard · · Score: 1

      Firefox could implement Pepper but they've chosen not to. You're probably never going to get IE to support any open plugin standard.

    2. Re:Cross browser alternatives? by alavaliant · · Score: 1

      From what I've read on the discussions on Firefox implementing Pepper the reason why they aren't isn't a simple case of them choosing not to. It's a case of google not actually having a published standard (as I've seen it described the Pepper 'API' is just the current head of the chrome source which changes with each chrome release) so it's not an easy thing for another vendor to support.

    3. Re:Cross browser alternatives? by ProzacPatient · · Score: 1

      Firefox could implement Pepper but they've chosen not to. You're probably never going to get IE to support any open plugin standard.

      Because no formal version of PPAPI exists but rather is an ever changing header file in the Chrome source code. Mozilla will not commit to spending the time and resources to implementing PPAPI only to have Google significantly break it on a whim and have everyone blaming Mozilla for their plugins not working. In contrast NPAPI is a rather old interface that has not seen significant modification in a long time and still works fine.

    4. Re:Cross browser alternatives? by thunderclap · · Score: 1

      Firefox could implement Pepper but they've chosen not to. You're probably never going to get IE to support any open plugin standard.

      Because no formal version of PPAPI exists but rather is an ever changing header file in the Chrome source code. Mozilla will not commit to spending the time and resources to implementing PPAPI only to have Google significantly break it on a whim and have everyone blaming Mozilla for their plugins not working. In contrast NPAPI is a rather old interface that has not seen significant modification in a long time and still works fine.

      Nah Mozilla would rather significantly break the plugins themselves on a whim and have everyone blaming Mozilla for their plugins not working.

    5. Re:Cross browser alternatives? by TheRaven64 · · Score: 1

      Pepper isn't an API that is in any way portable across implementations, it's a chunk of WebKit / Chrome rendering guts that are exposed for external use. Supporting it in another browser is theoretically possible, but would be a huge investment in time and effort because you'd have to translate a lot of things from what Pepper exposes into something that makes sense in your own rendering engine and browser.

      --
      I am TheRaven on Soylent News
  7. Re:Already making waves by AaronLS · · Score: 1

    HTML5 is not capable of capturing your screen. You could write the client in HTML5, but then you wouldn't have the option for clients to occasionally share their screen.

  8. This is probably the best way to end support by istartedi · · Score: 1

    They're ending support when it literally annoys just a handful of developers. That might optimize the benefit of dropping support. Any later and they're expending too much effort for the hold-outs. Any earlier and they're shoving too much burden on an active legacy community. They gave plenty of warning too.

    I'm not some Google fan-boy. There are plenty of things they do wrong; but credit where due.

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
    1. Re:This is probably the best way to end support by istartedi · · Score: 1

      No, you don't need to point that out because I'm not part of the anti-MS block on Slashdot. Of course I don't expect random ACs to dig into my past and pull up posts from 10 years ago. I'm just pointing it out. Not everything on this site is about setting M$ equal to $atan and condemning it.

      --
      For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  9. Re:May be irrelevant by toonces33 · · Score: 1

    It is funny - I have been getting more and more frustrated with Firefox. They add all sorts of crap, but do nothing to resolve longstanding problems.

  10. In January? by Rebelgecko · · Score: 1

    NPAPI plugins (or at least Unity) already don't work on the Mac version of Chrome

    --
    CATS/Diebold '08- All your vote are belong to us!
  11. Flash by manu0601 · · Score: 1

    Flash does not use that API anymore?

    1. Re:Flash by PingSpike · · Score: 1

      There's a wrapper "fresh player" that allows chrome's pepper flash to be used in firefox but I'm not sure how reliable it is. I haven't used it much yet but it did seem to work.

  12. video by Blaskowicz · · Score: 1

    I remember when the problem of web video was finally solved for like a couple monthes, at least for me. WMV video plugin would reliably install and play full screen video on a modest computer. But instead, flash video replaced it and tripled the CPU requirements, and it works but this is shit.
    The web would be better if we had followed the route of a NPAPI video plugin, we'd have Youtube that works on a Pentium II and 128MB RAM. Running three of them would not make a 2GHz single core computer crumble.

     

    1. Re:video by jones_supa · · Score: 1

      Newer codecs would still have inflated the hardware requirements. H.264 takes more crunch than MPEG-2. However, as you point out, the main problem is that the YUV overlay is not used in web browser video players. One can see the difference when he downloads a video from YouTube with youtube-dl or plays it via MiniTube: the CPU usage is much lower.

  13. Linux Chrome 35 already dropped NPAPI by rklrkl · · Score: 1

    I believe Google dropped NPAPI support in Linux for version 35 onwards. This *immediately* broke all Java applets (as far as I know, there's no PPAPI Java plug-in), which wasn't great for sysadmins using Java VNC applets (yes, I know about noVNC, but not all Web UIs have moved to that) or F1 timing on formula1.com as a consumer example.

  14. Dropping NPAPI broke VMware consoles on Linux by daveewart · · Score: 2

    Google Chrome for Linux dropped support for NPAPI in version 35. This meant that if you use VMware, there's now no current browser which allows you to open VMware consoles via VMware vSphere/vCenter.

    This is because of two related issues:

    - vCenter needs Flash, but it has to be *recent* Flash (not 11.2 Linux Flash). Only option which provides recent Flash is Chrome;

    - vCenter's 'launch console' add-in is NPAPI-based, so that won't work from Chrome version 35 onwards.

    Therefore my VMware-managing setup on my Linux desktop is Google Chrome 34, pinned to prevent updating; and this is used only for local VMware management, not browsing.

    I post this just for information and to rant about it yet again, but of course this is VMware's fault for relying on a deprecated architecture for plugins.

    --
    "If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
    1. Re:Dropping NPAPI broke VMware consoles on Linux by cbhacking · · Score: 1

      Stupid and kludgey hack, but is it possible to solve this, at least to a degree, with Wine? Running either the Windows version of Flashplayer (in something like nspluginwrapper; I think I remember hearing about a way to do this though I never tried it) in a Linux browser, or running a full Windows browser (can Wine do that these days?) seems like it solves the problem. It introduces at least one problem, too, of course... but at least you *can* install updates instead of pinning to a version that will only get more outdated...

      --
      There's no place I could be, since I've found Serenity...
    2. Re:Dropping NPAPI broke VMware consoles on Linux by PingSpike · · Score: 1

      It probably won't solve the issue, but have you tried using the fresh player wrapper to run chrome's pepper flash with firefox?

  15. yes yes we know vi can replace every service by cheekyboy · · Score: 1

    Just keep using vi dude, I know you can use it for email, calenders, docs, spreadsheets, ide, chat, etc...

    --
    Liberty freedom are no1, not dicks in suits.
  16. Re:Already making waves by cheekyboy · · Score: 1

    slash is a free service, like he has to care or be accurate.

    get a clue, expect all info to be wrong here.

    You really expect corporate enterprise $600/hr quality advice from slash ? Maybe you should be the one who are more thorough in where you do your research. HA

    --
    Liberty freedom are no1, not dicks in suits.
  17. Re:Already making waves by Anonymous+Brave+Guy · · Score: 1

    Cisco has more than enough software devs to remedy this in a years time.

    This is a huge problem with this whole debate. People who work on certain browsers want the rest of the world to just dump 20 years of software history, significant amounts of which is still in use and doing its job just fine today, and spend what would collectively be a vast amount of time and money rewriting everything just to run on this week's trendy platform instead.

    Newsflash: Professionals with jobs to do value stability and backward compatibility. They probably value their tried and tested software a lot more than a flashy port to your "living standard" platform. They certainly value tried and tested software a lot more than your latest technique for animating SVGs in demos that still doesn't scale up enough to use it in real applications without becoming unusably slow anyway.

    See also: Why IE is still so dominant in business browsing, even versions from several years ago, and why neither Firefox nor Chrome got much traction in business at all until they started playing nicely with grown-up sysadmin tools.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  18. Re:Already making waves by eriqk · · Score: 1

    Professionals with jobs to do value stability and backward compatibility.

    It would appear that these professionals with jobs had better learn to deal with moving targets. Stability and compatibility no longer exist in the old fashioned way.

  19. Re:Already making waves by Anonymous+Brave+Guy · · Score: 1

    It would appear that these professionals with jobs had better learn to deal with moving targets.

    Why? There is no commercial advantage in repeatedly expending resources updating your software or intranet sites just to keep pace with the whims of some browser maker.

    Whatever certain browser makers would like to happen, as the likes of Windows XP, IE6, and later IE8 demonstrated very clearly, staying with software that works for an extended period is a viable and sometimes very attractive option, even if it comes with significant disadvantages in other respects. Large organisations often work with multi-year roll-out plans for new technologies that will affect many staff or critical business functions, and they aren't going to be the slightest bit impressed by a browser vendor shouting, "But we push new features every six weeks!"

    Stability and compatibility no longer exist in the old fashioned way.

    Sure they do. They just don't exist if you give your business to organisations like Google, and the kind of web developer that relies on bleeding edge frameworks and joining the dots has no idea how to provide them.

    Of course, this is good for those of us who make a lot of money offering businesses better solutions to their real problems using tried and tested technologies. It's not as glamorous, but it sure pays well if you can help your clients get stuff done without technology issues they simply don't care about getting in the way all the time.

    TL;DR: Google, Mozilla and their fans wish that professional organisations would see these new developments and choose to adopt Chrome or Firefox as a result. What really happens in many cases is that those organisations see these new developments and say "OK, we'll just stick with IE, which version do we pin at to keep everything working?" and then throw lots of money at organisations like Microsoft that understand the real world needs and provide long term support accordingly.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  20. while they're at it by slashmydots · · Score: 1

    Maybe they should block all malware plugins too. Honestly after running a small repair shop, I could name them off right off the top of my head. Block those assholes and turn it into a marketing thing to brag about security (security for stupid, careless people at least).

  21. Google: Microsoft for a new century by TrentTheThief · · Score: 1

    Bullshit.

    Google wants complete and utter control of the browser and your internet usage.

    Fuck the googletron.

  22. Gives me a legitimate reason to use IE by DewDude · · Score: 1

    Can't watch Slingbox without using their plugin, which uses NPAPI. They seem unwilling to update any software...which means I'll have to boot up IE just to use Slingbox.

    That is after they make me watch a 15 second advertisement to watch TV I pay for on hardware I pay for on the only valid viewing option on my PC.