Mozilla To Drop Support For All NPAPI Plugins In Firefox 52 Except Flash (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Mozilla To Drop Support For All NPAPI Plugins In Firefox 52 Except Flash (bleepingcomputer.com)

Posted by EditorDavid on Sunday February 5, 2017 @05:34AM from the goodbye-to-an-API dept.

The Netscape Plugins API is "an ancient plugins infrastructure inherited from the old Netscape browser on which Mozilla built Firefox," according to Bleeping Computer. But now an anonymous reader writes: Starting March 7, when Mozilla is scheduled to release Firefox 52, all plugins built on the old NPAPI technology will stop working in Firefox, except for Flash, which Mozilla plans to support for a few more versions. This means technologies such as Java, Silverlight, and various audio and video codecs won't work on Firefox.

These plugins once helped the web move forward, but as time advanced, the Internet's standards groups developed standalone Web APIs and alternative technologies to support most of these features without the need of special plugins. The old NPAPI plugins will continue to work in the Firefox ESR (Extended Support Release) 52, but will eventually be deprecated in ESR 53. A series of hacks are available that will allow Firefox users to continue using old NPAPI plugins past Firefox 52, by switching the update channel from Firefox Stable to Firefox ESR.

26 of 163 comments (clear)

Min score:

Reason:

Sort:

Context please by ebonum · 2017-02-05 05:40 · Score: 2, Insightful

I must be an idiot. I read TFA and I have no idea if AdBlock Plus, Ghostery, NoScript, etc. will continue to work.
What will break? What will continue to function normally?
1. Re:Context please by Anonymous Coward · 2017-02-05 05:44 · Score: 4, Informative
  
  I must be an idiot. I read TFA and I have no idea if AdBlock Plus, Ghostery, NoScript, etc. will continue to work.
  What will break? What will continue to function normally?
  There is no talk of removing support for extensions. This is only about plugins.
2. Re:Context please by Anonymous Coward · 2017-02-05 06:11 · Score: 4, Informative
  
  actually there is (more than) talk to remove extensions, well replace them with a new standard
  coming in ff 57
  it'll break a lot of nice extensions
  http://www.ghacks.net/2017/01/28/firefox-add-on-quicksaver-quits/
3. Re:Context please by AmiMoJo · 2017-02-05 07:04 · Score: 2
  
  No, add-ons as they are called will be fine for now. This API is only for binary plug-ins like Flash, Java and Adobe PDF Reader.
  Binary plug-ins are much more vulnerable because they are native code and run in the browser process. Add-ons are Javascript and run in the Javascript sandbox, although in Firefox they can really screw with the browser's security model which is why Mozilla is wanting to move away from them eventually.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re:Context please by Anonymous Coward · 2017-02-05 08:18 · Score: 5, Insightful
  
  And the day they follow through on it, is the day they for real die, despite all the propaganda floating around already about how "buggy" and "leaky" and "useless" it is. I've never had any such problems with Mozilla, but the day they kill ublock, noscript and other such necessary add-ons, and replace them with substandard, neutered google-crap, is the day not only I have absolutely no further use for them, it's the day they have actually lost the entire point of their existence.
5. Re:Context please by Anonymous+Brave+Guy · 2017-02-05 13:42 · Score: 2
  
  Still, I guess I'll have to stop updating firefox so as not to break compatibility with the Java stuff that I have to use.
  Sadly, I doubt you'll be alone.
  I work with a lot of networked devices, which is a common environment where Java in a browser still matters. While there are now alternative technologies that can be used for much of what we used to use Java for, people should remember that they have only quite recently become stable and reliable enough for long-term professional use in an embedded context, and even today, there are plenty of bugs and performance problems with both canvas and SVG, so they're still not a perfect replacement if you had an applet for some graphical presentation purpose. Obviously it takes time to develop new versions of these UIs and then time for customers to purchase and deploy them, so expecting these embedded systems to be upgraded before the next major hardware/firmware upgrade cycle is unrealistic.
  Another case where Java applets are still useful is all the little demo pages, again typically graphical ones, that the academic community has written over the years. I came across one of them just this weekend, and was glad that I was using Firefox instead of Chrome so I could still watch them. It's a horrible shame that access to all of this content, much of it developed over two decades but as relevant today as ever, is being lost just because the browser developers and Oracle couldn't get their acts together. This isn't how the Web was supposed to work, no user benefits from the loss, and there's no magical fairy who's going to come along and rewrite all of these pages using shiny new HTML5 standards just because Google and Mozilla would prefer it if Java went away.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Mozilla...getting it wrong so you don't have to. by Anonymous Coward · 2017-02-05 05:42 · Score: 5, Insightful

"We have announced today that we will be dropping support for all plugins, except the one that's really the problem judging by the security advisories. You can expect your specialty software to stop working immediately, while the security-hazard that is Flash will continue to work for several, pointless version number bumps."
If it weren't for mistakes the Mozilla Foundation wouldn't be good at making any fucking thing.
Fuck you, Mozilla. by Anonymous Coward · 2017-02-05 05:47 · Score: 4, Insightful

Blocking NPAPI, *execpt* the worst of them all, security ala mozilla, like we know it for years. Running out of ways to piss off every single admin on the planet, are we...?
1. Re:Fuck you, Mozilla. by TheRaven64 · 2017-02-05 06:16 · Score: 4, Insightful
  
  I don't know - between Java and Flash, it's hard to tell which has the worse security record. Though these days about the only Java applets on the web are malware, so at least you get a lower false positive rate by blocking them all.
  
  --
  I am TheRaven on Soylent News
2. Re:Fuck you, Mozilla. by ArhcAngel · 2017-02-05 08:04 · Score: 2
  
  these days about the only Java applets on the web are malware
  You mean like Intercontinental Exchange's WebICE? A multi-billion dollar commodities trading platform.
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Flash by dschiptsov · 2017-02-05 05:51 · Score: 4, Insightful

Which is the absolute champion in vulnerabilities exploited by hackers, tracking, malware and every possible kind of crap, including banners, which is the only reason it is still exist and pushed by the browser vendors.
A Year of My Life Lost on NPAPI by glennrrr · 2017-02-05 05:57 · Score: 2

5 years ago, part of my job was keeping an NPAPI plugin running on the Mac. Apple had transitioned their support to a new graphics and event model and it was a lot of work refactoring our plugin. And of course, that ended up being wasted time we should have spent transitioning to writing a Javascript version of our app.
No real benefits (only perceived ones) by admin7087 · 2017-02-05 06:32 · Score: 4, Insightful

There really is no benefit in replacing native plugins with a strictly inferior technology - Javascript instead of the language of your choice and then removing the former. This is just another closing down of an ecosystem for the sake of nonexistent "security" under the obviously dubious presumptions that the developers of the base technology are more competent about security than plugin developers and that users need to be constantly patronized. Instead, they should open a native plugin technology to as many languages as possible and let people decide what language to use and which developer to trust.
But you can see this trend everywhere. Less power to users and third-party developers and more control to the people who run the "platform".
To much IT hardware needs java for management by Joe_Dragon · 2017-02-05 06:36 · Score: 4, Informative

To much IT hardware needs java for management. LIke switch admin, IPMI's, others.
1. Re:To much IT hardware needs java for management by myowntrueself · 2017-02-05 06:50 · Score: 3, Insightful
  
  And they should have moved to javascript a long time ago, requiring people to install modern browsers instead of continuing to use internet explorer 6 and microsoft XP without any service packs.
  Still, you can just back up Firefox 51 and put it to a live linux cd of some sort, then making it access the hardware you need via a VM.
  Yeah the vendors should have released firmware patches or hardware modules to deal with the changes to browsers. Never going to happen. People with very sensitive jobs are going to keep using crappy unsecurable browsers because they no longer have any choice.
  
  --
  In the free world the media isn't government run; the government is media run.
2. Re:To much IT hardware needs java for management by myowntrueself · 2017-02-05 11:24 · Score: 3, Insightful
  
  The plugins were totally unsecurable already. Just use that browser for accessing those devices only, without internet access.
  'Without internet access' isn't going to work when you are accessing KVM consoles on servers on the other side of the world which are at a hosting company where you don't have the option of a VPN. There are many thousands such sites perhaps millions. I deal with about a hundred personally.
  Out in the real world people do need java, and often flash as well, in a browser, to be able to do their jobs. You can't just say "Well I'm not going to do my job if you don't upgrade the systems so I don't need java" because they'll just fire you and hire someone who will. Obviously.
  
  --
  In the free world the media isn't government run; the government is media run.
Re:But my business bank deposit Java app... by myowntrueself · 2017-02-05 06:49 · Score: 2

With Firefox and Chrome having over 2/3 of the browser market between them, your bank will have not much of a choice. Sooner or later nothing supports Java anymore and their plugin is simply obsolete.
There is still a lot of hardware out there and embedded systems that depend on Java for management eg KVM consoles. I know people who keep an XP virtual machine around just so they can manage certain pieces of hardware.

--
In the free world the media isn't government run; the government is media run.
Re:Mozilla...getting it wrong so you don't have to by fuzzyfuzzyfungus · 2017-02-05 06:53 · Score: 2

I certainly don't disagree that Flash should be taken out and shot on security grounds; but it is pretty much the last NPAPI plugin that you are likely to piss users off by dropping support for. iOS got away with it; but Safari continues to support it(though grudgingly); Chrome killed NPAPI; but the 'Pepper' plugin interface appears to exist primarily to support Flash; Edge also whitelists Flash; and Flash on Android died mostly because Adobe couldn't make it work very well; not because Google shoved them off the platform.

Given Mozilla's less-than-commanding presence in the browser market; I suspect that they can't afford to take a hard line on flash right now.
"This add-on will stop working..." by Futurepower(R) · 2017-02-05 06:58 · Score: 5, Informative
Posting this again: The reason I like Firefox is the add-ons.
1. Classic Theme Restorer
  
  "This add-on will stop working when Firefox 57 arrives in November 2017."
  
  This add-on will stop working when Firefox 57 arrives in November 2017 and Mozilla drops support for XUL / XPCOM / legacy add-ons. It should still work on Firefox 52 ESR until ESR moves to Firefox 59 ESR in 2018 (~Q2).
  
  There is no "please port it" or "please add support for it" this time, because the entire add-on eco system changes and the technology behind this kind of add-on gets dropped without replacement.
2. Cookies Manager+
3. Ghostery DON'T UPDATE. New versions don't allow sufficient user control.
  USE THIS: ghostery-5.4.10-sm+an+fx.xpi Link: Version 5.4.10
4. Mozilla Archive Format
5. NoScript
6. Nuke Anything Enhanced
7. Open link in...
8. Print Edit
9. Session Manager
10. Snap Links Plus DON'T UPDATE. New versions don't have as many features.
  USE THIS: snap_links_plus-2.4.3-sm+fx.xpi Link: Version 2.4.3
11. uBlock Origin
12. Video DownloadHelper
1. Re:"This add-on will stop working..." by Anonymous Coward · 2017-02-05 10:43 · Score: 3, Insightful
  
  when they kill the unique-to-firefox flexibility of addons, it WILL KILL FIREFOX itself. rip. it was a good run but your days are now numbered unless the morons-in-charge over there get their shit together.
Use Emscripten by tepples · 2017-02-05 08:41 · Score: 2

You can use any programming language you want, so long as you have access to a compiler to compile it into JavaScript. Treat JavaScript as an object code format, not the source code. That's what asm.js was supposed to be about: a subset of JavaScript that the JIT engine can convert trivially for which things like Emscripten can generate code.
If you want NPAPI, there is Pale Moon by SEE · 2017-02-05 08:53 · Score: 5, Informative

Pale Moon is a long-established fork of Firefox that, among other things, is maintaining NPAPI support.
1. Re:If you want NPAPI, there is Pale Moon by Anonymous Coward · 2017-02-05 16:19 · Score: 2, Informative
  
  FYI, actually people are trying to port back jetpack add-ons to Pale Moon as they were removed for changes in the compiler code as they needed to drop Windows XP support for stablity.
  Remember Pale Moon != Firefox, they were like that in 20 version.
2. Re:If you want NPAPI, there is Pale Moon by Luckyo · 2017-02-08 07:52 · Score: 3, Interesting
  
  I imagine people would. This change basically crippled Pale Moon to the point of uselessness to people like myself who migrated to it in search of alternative to Firefox when Firefox went nuts with UI experiments and other weird BS.
  That said, to me that also demonstrated full willingness on part of PM devs to remove add-on compatibility for [reasons]. Browser is a platform for add-ons, and many of them are crucial for me. That patch basically broke several add-ons that are absolute deal breakers for me. And considering the state of forums when I came to ask for support in possibly making these add-ons work, as I did after the previous patch that also broke many add-ons (but I was able to find replacements for all crucial ones then), it demonstrated to me that developers simply did not understand the same thing that Firefox developers miss. We don't come to them for the browser. We come to them for the browser that is also the add-on platform for our favourite add-ons that make everyday browsing far more comfortable, or meet specific work flow demands. As a result, removing support for some add-ons is simply unacceptable, especially when you consider that many of the more esoteric add-ons that people like are often not updated, ever. They just work. Until browser devs decide that they will break them.
Re:Mozilla...getting it wrong so you don't have to by gravewax · 2017-02-05 09:08 · Score: 2

not quite, Adobe and Flash are in a class of their own, the sheer extent and severity of vulnerabilities far outstrips any other piece of software including those with much larger user bases.
End of Plugins = Techno racism by neutrino38 · 2017-02-06 07:45 · Score: 2

This move from Mozilla foundation is consistent with what we have seen happening with Chrome, Edge. It has been initiated long by Apple which decided to drop flash support on their mobile device.
The motivation of these move are well known: less battery usage, more security. For general public it is justified.
However there are a whole range of corporate application that relied and still rely on plug-ins. Not just flash. So deep down, by not providing at least a supported version of browser with plugin, the industry is building a monolithic platform ...again. Single language, single platform. Its about control not user choice.
The argument that HTML5 is now mature enough does not fly very far. Mature enough for common web app sure. But it you start using advanced feature such as WebRTC, you'll start seeing glitches and incompatibilities that pushes some service to advertize "please use Chrome" ...
The fact is that now people in general (users, developers and software editors) are techno racists. They want security and despite technology that is not 'like them'. So the prefer to slam the door and drop the plugins and by decree ban any foreign technology from our beloved HTML / JS free platform.
This is unfortunately consistent with the behavior of the political world of today ...