Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Support For NPAPI Plugins Ends Next Year (mozilla.org)

Posted by Soulskill on from the no-time-like-the-future dept.

An anonymous reader writes: Mozilla announced that it will follow the lead of Google Chrome and Microsoft Edge in phasing out support for NPAPI plugins. They expect to have it done by the end of next year. "Plugins are a source of performance problems, crashes, and security incidents for Web users. ... Moreover, since new Firefox platforms do not have to support an existing ecosystem of users and plugins, new platforms such as 64-bit Firefox for Windows will launch without plugin support." Of course, there's an exception: "Because Adobe Flash is still a common part of the Web experience for most users, we will continue to support Flash within Firefox as an exception to the general plugin policy. Mozilla and Adobe will continue to collaborate to bring improvements to the Flash experience on Firefox, including on stability and performance, features and security architecture." There's no exception for Java, though.

30 of 147 comments (clear)

  1. Experience? by Anonymous Coward · · Score: 5, Insightful

    Too much use of the word 'experience' shows that Mozilla has been taken over by managers.

    1. Re: Experience? by Anonymous Coward · · Score: 4, Funny

      That's a nice first post experience you had there!

    2. Re:Experience? by Anonymous Coward · · Score: 3, Insightful

      Nope, experience is a bullshit bingo word because it triggers the positive association that people have with knowledge which is gained through experience. But while it sounds positive, it doesn't actually make a qualitative or quantitative claim one way or the other in the way it is used by business people. "The web experience" just means that people are using the web. They could be hating it from start to finish, not learning a thing on the way, and it would still be their web experience.

    3. Re:Experience? by idji · · Score: 2

      Too much use of the word "features" leads to bloat and forgetting what people are using the software for.

  2. Re:Is this goodbye? by Anonymous Coward · · Score: 2, Informative

    Wrong type of plugin. This is about plugins like Flash, such as ... uh ... I dunno, Adobe PDF reader? The Java plugin, I guess. Things like that. Basically nothing anyone will miss.

    Of course, they're also killing support for NoScript and requestpolicy, except that happens earlier than "the end of next year." The timeline for support for those to be removed is mid-2016, as I recall.

  3. Moral of the story: by 140Mandak262Jamuna · · Score: 4, Insightful

    Of course, there's an exception: "Because Adobe Flash is still a common part of the Web experience for most users, we will continue to support Flash within Firefox as an exception to the general plugin policy. Mozilla and Adobe will continue to collaborate to bring improvements to the Flash experience on Firefox, including on stability and performance, features and security architecture."

    The moral is, if you screw up in small scale you pay the price. If you screw up in gigantic scale, others will accommodate you. Small borrowers get foreclosed. Gigantic debtors get bailed out. Minor plug-ins with stability and security issues get pulled.Even major ones like java. But you screw up in gigantic scale like Adobe Flash, the market prices your misdeeds in and expects others to act knowing, "yeah, Adobe Flash is a mess, but we know it is a mess, we need to work around it".

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Moral of the story: by Anonymous Coward · · Score: 2, Insightful

      I was going to post pretty much the same thing. Yes, let's close off all those insecure plugins, but give FLASH a pass. The worst offender of the bunch for security and stability issues. Flash: the Citibank of plugins.

    2. Re:Moral of the story: by Anonymous+Brave+Guy · · Score: 4, Insightful

      It's not even as if Java is a huge security problem today. It's effectively been click-to-play by default in all major browsers for a long time, and the plug-in itself then has a bunch more security safeguards before it will trust remote code to do just about anything.

      As I seem to have to point out every time this subject gets raised, this is a horrible move in terms of preserving useful content on the web. A lot of things that have been done with plug-ins like Java or Silverlight are small and in-house, like the math lecturer's interactive visualisation of something in their course, or the applet some guy in sales wrote a few years ago for the intranet so the group managers could see a quick overview of how everything is going and copy the data straight into their Excel spreadsheet. Of course they have also been used for a lot of GUIs for networked devices, where things like drawing interactive charts wasn't possible using native web technologies until relatively recently.

      Many of these useful tools won't have dedicated maintainers and they aren't magically going to get rewritten to use the new blessed technologies. Closing them off in Firefox as well just means anyone who actually relies on them is now left on IE forever. Again.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    3. Re:Moral of the story: by isj · · Score: 2

      The content plugin support has always been a mixed blessing. It was sometimes useful as a stop-gap until the browsers supported some new form of content (eg. SVG, MathML, ...). With the removal of plugin support and acceleration of the death of plugins it means that new content forms will have to be implemented in all browsers, which seems wasteful to me.

      On the other hand, with the current feature set of html5+javascript+canvas+webgl you can make quite good interfaces. In the odd (but not completely rare) cases where it isn't enough you can go for a stand-alone program, like java webstart, stand-alone flash player, etc.

      So what we lose is the ability to display new content forms inside a web page which (imho) is not a big loss nowadays.

      For the legacy sites (java applets for configuration or secure "VPN" access, flash for ditto) the backward compatibility has never been great: random applets required exactly JVM 1.4.x.x, flash only worked with FF version x, silverlight only worked with IE, etc. so I don't think the impact is worse than what would already happen. I hope that the developers of such solutions go for html5 replacements primarily, and if that doesn't work then downloadable stand-alone binaries (or even better: open source).

    4. Re:Moral of the story: by myowntrueself · · Score: 2

      It's not even as if Java is a huge security problem today. It's effectively been click-to-play by default in all major browsers for a long time, and the plug-in itself then has a bunch more security safeguards before it will trust remote code to do just about anything.

      As I seem to have to point out every time this subject gets raised, this is a horrible move in terms of preserving useful content on the web. A lot of things that have been done with plug-ins like Java or Silverlight are small and in-house, like the math lecturer's interactive visualisation of something in their course, or the applet some guy in sales wrote a few years ago for the intranet so the group managers could see a quick overview of how everything is going and copy the data straight into their Excel spreadsheet. Of course they have also been used for a lot of GUIs for networked devices, where things like drawing interactive charts wasn't possible using native web technologies until relatively recently.

      Many of these useful tools won't have dedicated maintainers and they aren't magically going to get rewritten to use the new blessed technologies. Closing them off in Firefox as well just means anyone who actually relies on them is now left on IE forever. Again.

      Internet explorer won't keep up with this forever. Does anyone have experience of the new Windows 10 browser (Edge) and Java?

      Where I work we have to deal with many sites where we are absolutely forced to use Java browser based apps. We have no option. Theres been talk that we might just have to write our own application to do this as browsers just can't be trusted not to lock us out of these systems.

      Some people I work with keep an old XP VM around with an old version of Java and an old browser just to be able to use the IPMI console on (fairly new) servers. I don't see any sign that the server manufacturers are going to stop using Java for their IPMI consoles.

      This is ridiculous.

      --
      In the free world the media isn't government run; the government is media run.
    5. Re:Moral of the story: by Anonymous+Brave+Guy · · Score: 4, Insightful

      I make browser-based user interfaces for a living, and I can say without hesitation that a lot of these new technologies aren't ready for prime time yet (though that's not going to stop Google, Apple and Mozilla treating them as if they are).

      SVG and Canvas performance is highly variable. There are sometimes serious rendering glitches in some of the browsers as well, even looking at quite simple cases. Plus issues with events not propagating properly, which variation of animations we're supporting this week, etc.

      MathML is only supported usefully in Firefox and Safari.

      HTML5 audio/video is just a gigantic mess, not only in the lack of any portable format for each that works just about everywhere, but also in terms of browser controls, cache behaviour, even basic stuff like triggering corresponding JS events at the right time or showing the right poster image for a video. Plus of course there's the whole ECE mess, which is corrupting the open web with DRM, creating whole new attack vectors, or just another kind of plug-in that now needs to be developed and then ported across platforms instead of the old ones, depending on who you'd like to hate it the most right now.

      WebGL is interesting but support is generally still patchy. It's also worth noting that like any of the other hardware-accelerated features here, it's going to create more attack surface, which is why the argument that browser features are somehow more likely to be secure than the equivalent plug-in features they're replacing is just silly.

      As a final comment, a lot of those sites using plug-ins that you call "legacy" were doing things the only way they could just a few years ago. Even if they all worked properly today, those technologies I mentioned above have only been viable alternatives very recently. It's not realistic to expect everyone who has been developing tools built with plug-ins and sunk large amounts of time and money into developing them to just do a Big Rewrite into HTML5-friendly technologies to suit the browser makers. Given that most of those browser makers have made it abundantly clear that they don't really care about providing meaningful long term support for anything any more, I suspect before long they are going to start reaping what they have sown as they find people who build web apps increasingly sceptical about relying on unproven features. Ironically, they could even be strengthening the native software and mobile app markets in the long run.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    6. Re:Moral of the story: by Anonymous+Brave+Guy · · Score: 3, Insightful

      The standard is not whether something worked a year or two ago, but whether it followed the recommended best practices in effect at that time.

      The important thing is always whether something works properly. Everything else -- formal standards, compatibility work, portability work -- is just a means to that end.

      If you write a site using standards on the verge of being declared obsolete, you have no one to blame but yourself.

      Which is an easy argument to make until someone points out that in these cases the people declaring something "obsolete" are frequently biased and, in particular, advocating a new and inferior replacement.

      Dependence on NPAPI plugins hasn't been best practice for a long time now, much longer than one year

      And yet viable alternatives to the things we've been doing successfully with various plug-ins for literally a decade or more have barely been around that long, and in many cases are still obviously and objectively worse in significant respects today.

      Flash is the only plugin with any widespread support left, and it's been on its way out for a while.

      Not in corporate use. Not even close.

      Sites which depend on such plugins already fail on mobile browsers, which are becoming more and more popular and haven't even supported Flash for several years, much less other plugins.

      And the corporates mostly don't care, because they have real work to do and provide their staff with real computers to do it. No-one is preparing their quarterly accounts presentation on an iPhone.

      Plugins, on the other hand, have always been a compatibility nightmare—non-standardized, proprietary, and non-portable.

      And yet Java applets were recognised as early at the <applet> tag somewhere back in the 90s, while Flash has been one of the most successfully standardised parts of web history in terms of both portability and longevity. I suspect only HTTP, HTML 4 and CSS 2.1 have been more successful in those respects.

      If you like standards and cross-browser compatibility, you should be backing this change.

      I like things that work. To be fair, I also like the new "standard" and "cross-browser compatible" features, but for a very different reason: they are still so badly implemented so often, and broken so often by browser updates, that I make an awful lot of money fixing things that rely on them.

      fewer one-off, closed-source, browser- and OS-specific binary plugins

      Because ECE for multimedia playback and graphics drivers to accelerate WebGL are so much better?

      IE itself is deprecated

      It really isn't, in any practical sense. Realistically, Microsoft are going to continue supporting it until at least 2020 because of the Win7 support, and because dropped it would cost them the support of the business community that makes up the lion's share of revenues.

      For perspective, that is more than 30 six-weekly update cycles of various other major browsers where businesses don't have to worry unduly about something they rely on being arbitrarily broken.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  4. Hypocrites by Viol8 · · Score: 2

    "Plugins are a source of performance problems, crashes, and security incidents for Web users"

    So is your browser. And whatever happened to choice? If I want to use a plugin that may crash occasionally thats up to me - not you. What next - I can only view web pages that your browser deems acceptable? Asshats.

  5. Those are add-ons, not plugins. by WD · · Score: 4, Informative

    Add-ons will continue to work. This is talking about NPAPI plugins.

  6. Re:Is this goodbye? by Anonymous Coward · · Score: 4, Informative

    Plug-ins != add-ons

  7. Re:NPAPI Plug-ins by BenJeremy · · Score: 2

    Flash is supported by Chrome as built-in. Every release of Chrome has an updated flash player.

    The problem is more that NPAPI is bad, PPAPI and built-in support is the path to future plugins. Expanding HTML5 is part of it, but not all of it.

  8. Re:Question by Sigma+7 · · Score: 5, Informative

    What is NPAPI ?

    NPAPI is the legacy plugin system used by browsers that allows webpages to serve executable content without the user having to download a file.

    This system is used by Flash, Unity, Java, and various unimportant plugins. Of these, Flash has an arrangement with Adobe, Unity has an exit strategy, and Java is completely neutered as it was for quite some time. The unimportant plugins are unimportant (and if they were, they'd have fixed it by now.)

    and does this have anything to do with the add=ons and plug=ins specific to Firefox and Seamonkey
    SAome of which break every time they put out a new version of FF

    Those are extensions, which is completely different.

  9. Re:Is this goodbye? by Anonymous Coward · · Score: 2, Insightful

    Of course, they're also killing support for NoScript

    Odd. Giorgio Maone, the author of NoScript, says Mozilla isn't doing that. It's almost as if you don't know what you're talking about.

  10. Plugins != extensions by Samare · · Score: 3, Informative

    NPAPI plugins are not to be confused with Firefox extensions.

    The fact that they have both been found in about:addons for some time now is a source of confusion.

  11. Re:NPAPI Plug-ins by isj · · Score: 3, Insightful

    I want ads to be in flash because that makes them easy to block :-)

  12. I honestly wish you were dead by Anonymous Coward · · Score: 2, Funny

    see subject

  13. Interesting article by Steve Jobs by tarlek1234 · · Score: 2

    https://www.apple.com/hotnews/... (A bit old, but probably still relevant.)

  14. Electrolysis by tepples · · Score: 2

    There isn't much advantage to a 64-bit browser anyway

    There is if all tabs are running in one process, as opposed to one process per tab like in present-day Chrome or the experimental Electrolysis feature of Firefox.

  15. Re:NPAPI Plug-ins by jaklode · · Score: 2

    Too bad for you that Google automatically converts them to HTML5 ads.

  16. Moral of the story: Fork it if you want it. by sethstorm · · Score: 2

    How long until we see forks of Firefox that don't give up on plugins?

    --
    Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
  17. vSphere Web Client HTML5 needed soon by Joe_Dragon · · Score: 2

    They need to get rid of the flash based one.

  18. Re:Is this goodbye? by myowntrueself · · Score: 2

    Of course, they're also killing support for NoScript

    Odd. Giorgio Maone, the author of NoScript, says Mozilla isn't doing that. It's almost as if you don't know what you're talking about.

    This is the Internet, and Slashdot! How dare you accuse someone of not knowing what they are talking about!

    --
    In the free world the media isn't government run; the government is media run.
  19. Re:Question by fahrbot-bot · · Score: 4, Informative

    What is NPAPI ?

    Jesus you're lazy: NPAPI

    --
    It must have been something you assimilated. . . .
  20. Re:Is this goodbye? by Anonymuous+Coward · · Score: 2

    https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox-add-ons/

    O God.

    As if the xml/xul/xpcom repetitive cargo cult nighmare wasn't bad enough.

    Just as the code started to mature a little bit, and despite its ugliness and brittleness, people started to make (a little bit) sense of it, they plan to tear everything down and put into place another mumbo-jumbo of Web 3.0 idiocy (rewritten in Rust, no less!)

    Just like the xorg/wayland bunch of idiots.

    And to add insult to injury, they will make everything closed-garden: no more addons not reviewed by mozilla.inc, even if they're signed and you explicitly trust the developer's certificate!

  21. Re:Is this goodbye? by arglebargle_xiv · · Score: 2

    And that's the crazy thing about this, they're deprecating NPAPI, whose main user is Flash, "for security reasons", but specifically leaving in support for... Flash, the most dangerous, buggy attack vector there is. It's like the TSA announcing that they're going to continue running their long-running security theatre performance in order to annoy all travellers, but will be waving through anyone with dynamite strapped to their body.