Google Chrome Will Block All NPAPI Plugins By Default In January

An anonymous reader writes Google today provided an update on its plan to remove Netscape Plugin Application Programming Interface (NPAPI) from Chrome, which the company says will improve the browser's security, speed, and stability, as well as reduce complexity in the code base. In short, the latest timeline is as follows: Block all plugins by default in January 2015, disable support in April 2015, and remove support completely in September 2015. For context, Google first announced in September 2013 that it was planning to drop NPAPI. At the time, Google said anonymous Chrome usage data showed just six NPAPI plugins were used by more than 5 percent of users, and the company was hoping to remove support from Chrome "before the end of 2014, but the exact timing will depend on usage and user feedback."

Which 6?

[Snotnose]

If I knew which 6 NPAPI plugins were used I'd know if I cared or not.

Re:

[jones_supa]

Uuhh, nerd rage. Sent from mother's basement and spoken out with a nasal "young Bill Gates" voice.

Re:

[Dishevel]

Good thing you did not start working on the problem over a year ago when they announced they would be doing this.

Now you can be all surprised and put upon by evil Google.

Re:

[doccus]

Hmmm.. and how many of these plugins are actually Google apps? Like.. "Oh man what are we going to do today to piss people off and show how many defenseless babies we can kick to the curb?" "I've got it.. lets kill Google Earth"

Re:Which 6?

[jandrese]

From the link:

Silverlight (launched by 15 percent of Chrome users last month).
Unity (9.1 percent).
Google Earth (9.1 percent).
Java (8.9 percent, but already blocked for security reasons).
Google Talk (8.7 percent).
Facebook Video (6.0 percent).

Silverlight is in that list thanks to Netflix, but Google got HTML5 video working for Netflix so that should drop off of there. Google Earth seems like something Google can fix as well. Same with Google Talk.

Unity, Java, and Facebook Video might be problematic however. I guess we'll have to wait and see if Chrome users are important enough for the respective companies to redevelop their plugins.

Re:

[Guspaz]

Those percentages are out of date. The percentages from the latest update are:

Silverlight (11 percent of Chrome users, down from 15 percent)
Google Talk (7 percent of Chrome users, down from 8.7 percent)
Java (3.7 percent of Chrome users, down from 8.9 percent)
Facebook Video (3 percent of Chrome users, down from 6 percent)
Unity (1.9 percent of Chrome users, down from 9.1 percent)
Google Earth (0.1 percent of Chrome users, down from 9.1 percent).

Re:

[IamTheRealMike]

Yes, but exploited browser rendering engines have been a large source of infections too. Sandboxing mobile code is just really hard. However the web is indispensable whereas Java applets aren't, so Java is the one that gets thrown out.

I suspect there isn't any way to build support for Java applets that satisfies Google's policies, therefore, they will end up being restricted to other browsers for the small number of people who need them (mostly enterprise apps).

These days the Java sandbox is actually a lot

Re:

[Anonymous Brave Guy]

This is all too true, unfortunately. Java plug-ins have become increasingly obnoxious about security in recent releases, to the point that software that used to work just fine is now very awkward to use, and both Google and Oracle keep saying things that boil down to "we'll stop it completely, sometime, maybe".

What everyone seems to forget is how many serious/critical vulnerabilities quietly get patched in the major browsers each update. Go ahead and check the change logs. Thinking browsers themselves won't

Re:

[Pope Hagbard]

Talk won't be fixed. It's been deprecated in favor of Hangouts.

Re:

[Chrisq]

too bad hangouts is a piece of shit. fuck google.

Nut then so was google talk. It seems like a like-for-like replacement

Re:

[AmiMoJo]

Chrome is the dominant browser now, so it's more a question of if those plug-ins are important enough to be redeveloped for the majority of users.

The replacement API has been around for ages, and is much more secure. If I used any of those plug-ins I'd be demanding they get upgraded for my own protection, or stop using them.

Re:

[style7711]

Ouch! I use java and silverlight daily.

Re:

[Actually, I do RTFA]

Just six plugins are used by more than 5% of users doesn't seem to be that significant. After all, 1000 plugins used by 1% of users will have far more impact than that.

Also, I do wonder if there is a correlation between people who use more plugins, and those who opt not to send anonymous data in.

Which plugins?

[rduke15]

So, which plugins does this really affect?

Why Chrome when you can use Chromium?

[Teun]

An honest question, why use Chrome when you can also use Chromium and not be 'the product'?

I'll stick with Firefox.

Re:

[pandronic]

Firefox for Android is really good.

Re:

[mwvdlee]

I can haz both!
Use Google and its ilk for 99.9% of my daily activity, use privacy-respecting tools for the remaining 0.1% that requires privacy.

yes yes we know vi can replace every service

[cheekyboy]

Just keep using vi dude, I know you can use it for email, calenders, docs, spreadsheets, ide, chat, etc...

Re:

[farble1670]

https://code.google.com/p/chro... [google.com]

looks like there's little difference two me. you are only the product if you sign in to google, which is true of whatever browser you choose.

Re:

[afgam28]

An honest question: if you don't want to be "the product" then what are you doing here? How do you think Slashdot makes its money?

Re:

[jones_supa]

I suspect Dice doesn't do nearly as much datamining as Google.

Re:

[afgam28]

I suspect they do some, but either way you're still "the product". Or is it more about privacy (which is a totally different thing from being exploited)?

Re:

[mister_playboy]

Google has never provided binaries on their Chromium site and that has always seemed like a very deliberate choice to deter would be users.

To run Chromium (on Windows) you must to dig through third party sites which may or may not have the latest version of Chromium available and may or may not bundle adware garbage installers.

Chrome binary download links, in contrast, are featured prominently on many sites. It is heavily advertised.

Re:

[JackieBrown]

Google has never provided binaries on their Chromium site and that has always seemed like a very deliberate choice to deter would be users.

To run Chromium (on Windows) you must to dig through third party sites which may or may not have the latest version of Chromium available and may or may not bundle adware garbage installers.

Here you go...
https://download-chromium.apps... [appspot.com]

This is the raw build of Chromium for Windows x86, right off the trunk. It may be tremendously buggy.
created by François Beaufort - now maintained by the Chromium team

Re:

[AaronLS]

Chrome 64bit didn't support NPAPI and so WebEx didn't work for me, but in last couple weeks they recently completely redid WebEx plugin and now it works. I assume they now have a non-NPAPI dependant plugin. I may be mistaken though.

Re:

[AaronLS]

HTML5 is not capable of capturing your screen. You could write the client in HTML5, but then you wouldn't have the option for clients to occasionally share their screen.

Re:

[cheekyboy]

slash is a free service, like he has to care or be accurate.

get a clue, expect all info to be wrong here.

You really expect corporate enterprise $600/hr quality advice from slash ? Maybe you should be the one who are more thorough in where you do your research. HA

Re:

[Anonymous Brave Guy]

Cisco has more than enough software devs to remedy this in a years time.

This is a huge problem with this whole debate. People who work on certain browsers want the rest of the world to just dump 20 years of software history, significant amounts of which is still in use and doing its job just fine today, and spend what would collectively be a vast amount of time and money rewriting everything just to run on this week's trendy platform instead.

Newsflash: Professionals with jobs to do value stability and backward compatibility. They probably value their tried and tested software a

Re:

[eriqk]

Professionals with jobs to do value stability and backward compatibility.

It would appear that these professionals with jobs had better learn to deal with moving targets. Stability and compatibility no longer exist in the old fashioned way.

Re:

[Anonymous Brave Guy]

It would appear that these professionals with jobs had better learn to deal with moving targets.

Why? There is no commercial advantage in repeatedly expending resources updating your software or intranet sites just to keep pace with the whims of some browser maker.

Whatever certain browser makers would like to happen, as the likes of Windows XP, IE6, and later IE8 demonstrated very clearly, staying with software that works for an extended period is a viable and sometimes very attractive option, even if it comes with significant disadvantages in other respects. Large organisations often work with multi-y

What's amazing...

[swillden]

What's amazing is that this 1996-era hack for extending the functionality of the Netscape browser, in a rather kludgy and unsafe way, still exists at all in 2014. I took a class at the Netscape office in Mountain View in 1997 to learn how to write NPAPI plugins and thought then that it was an ugly hack that deserved to go way soon, though I was glad it existed to solve my immediate problems. Not only did it not go away (though MS removed NPAPI support for IE a long time ago), nearly all major browsers today

Re:

[Curunir_wolf]

wait...since when did IE ever add NPAPI support? It was all ActiveX for them.

Yes, but they have an ActiveX control that runs the NPAPI container. :P

Re:

[ProzacPatient]

If I'm not mistaken IE supported NPAPI up to version 5.5 and it was removed in the infamous version 6.

Cross browser alternatives?

[AaronLS]

I know NPAPI wasn't exactly the most elegant thing, but at least it was supported by a few major browsers. Are there any good plugin API alternatives that are cross browser? Or is everyone having to implement a version of the plugin for each browser using whatever API that browser has decided to support?

Re:

[Pope Hagbard]

Firefox could implement Pepper but they've chosen not to. You're probably never going to get IE to support any open plugin standard.

Re:

[alavaliant]

From what I've read on the discussions on Firefox implementing Pepper the reason why they aren't isn't a simple case of them choosing not to. It's a case of google not actually having a published standard (as I've seen it described the Pepper 'API' is just the current head of the chrome source which changes with each chrome release) so it's not an easy thing for another vendor to support.

Re:

[ProzacPatient]

Firefox could implement Pepper but they've chosen not to. You're probably never going to get IE to support any open plugin standard.

Because no formal version of PPAPI exists but rather is an ever changing header file in the Chrome source code. Mozilla will not commit to spending the time and resources to implementing PPAPI only to have Google significantly break it on a whim and have everyone blaming Mozilla for their plugins not working. In contrast NPAPI is a rather old interface that has not seen significant modification in a long time and still works fine.

Re:

[thunderclap]

Firefox could implement Pepper but they've chosen not to. You're probably never going to get IE to support any open plugin standard.

Because no formal version of PPAPI exists but rather is an ever changing header file in the Chrome source code. Mozilla will not commit to spending the time and resources to implementing PPAPI only to have Google significantly break it on a whim and have everyone blaming Mozilla for their plugins not working. In contrast NPAPI is a rather old interface that has not seen significant modification in a long time and still works fine.

Nah Mozilla would rather significantly break the plugins themselves on a whim and have everyone blaming Mozilla for their plugins not working.

Re:

[TheRaven64]

Pepper isn't an API that is in any way portable across implementations, it's a chunk of WebKit / Chrome rendering guts that are exposed for external use. Supporting it in another browser is theoretically possible, but would be a huge investment in time and effort because you'd have to translate a lot of things from what Pepper exposes into something that makes sense in your own rendering engine and browser.

Re:

[toonces33]

It is funny - I have been getting more and more frustrated with Firefox. They add all sorts of crap, but do nothing to resolve longstanding problems.

This is probably the best way to end support

[istartedi]

They're ending support when it literally annoys just a handful of developers. That might optimize the benefit of dropping support. Any later and they're expending too much effort for the hold-outs. Any earlier and they're shoving too much burden on an active legacy community. They gave plenty of warning too.

I'm not some Google fan-boy. There are plenty of things they do wrong; but credit where due.

Re:

[istartedi]

No, you don't need to point that out because I'm not part of the anti-MS block on Slashdot. Of course I don't expect random ACs to dig into my past and pull up posts from 10 years ago. I'm just pointing it out. Not everything on this site is about setting M$ equal to $atan and condemning it.

In January?

[Rebelgecko]

NPAPI plugins (or at least Unity) already don't work on the Mac version of Chrome

Flash

[manu0601]

Flash does not use that API anymore?

Re:

[PingSpike]

There's a wrapper "fresh player" that allows chrome's pepper flash to be used in firefox but I'm not sure how reliable it is. I haven't used it much yet but it did seem to work.

video

[Blaskowicz]

I remember when the problem of web video was finally solved for like a couple monthes, at least for me. WMV video plugin would reliably install and play full screen video on a modest computer. But instead, flash video replaced it and tripled the CPU requirements, and it works but this is shit.
The web would be better if we had followed the route of a NPAPI video plugin, we'd have Youtube that works on a Pentium II and 128MB RAM. Running three of them would not make a 2GHz single core computer crumble.

Re:

[jones_supa]

Newer codecs would still have inflated the hardware requirements. H.264 takes more crunch than MPEG-2. However, as you point out, the main problem is that the YUV overlay is not used in web browser video players. One can see the difference when he downloads a video from YouTube with youtube-dl or plays it via MiniTube: the CPU usage is much lower.

Linux Chrome 35 already dropped NPAPI

[rklrkl]

I believe Google dropped NPAPI support in Linux for version 35 onwards. This *immediately* broke all Java applets (as far as I know, there's no PPAPI Java plug-in), which wasn't great for sysadmins using Java VNC applets (yes, I know about noVNC, but not all Web UIs have moved to that) or F1 timing on formula1.com as a consumer example.

Dropping NPAPI broke VMware consoles on Linux

[daveewart]

Google Chrome for Linux dropped support for NPAPI in version 35. This meant that if you use VMware, there's now no current browser which allows you to open VMware consoles via VMware vSphere/vCenter.

This is because of two related issues:

- vCenter needs Flash, but it has to be *recent* Flash (not 11.2 Linux Flash). Only option which provides recent Flash is Chrome;

- vCenter's 'launch console' add-in is NPAPI-based, so that won't work from Chrome version 35 onwards.

Therefore my VMware-managing setup on my Linux desktop is Google Chrome 34, pinned to prevent updating; and this is used only for local VMware management, not browsing.

I post this just for information and to rant about it yet again, but of course this is VMware's fault for relying on a deprecated architecture for plugins.

Re:

[cbhacking]

Stupid and kludgey hack, but is it possible to solve this, at least to a degree, with Wine? Running either the Windows version of Flashplayer (in something like nspluginwrapper; I think I remember hearing about a way to do this though I never tried it) in a Linux browser, or running a full Windows browser (can Wine do that these days?) seems like it solves the problem. It introduces at least one problem, too, of course... but at least you *can* install updates instead of pinning to a version that will only

Re:

[PingSpike]

It probably won't solve the issue, but have you tried using the fresh player wrapper to run chrome's pepper flash with firefox?

while they're at it

[slashmydots]

Maybe they should block all malware plugins too. Honestly after running a small repair shop, I could name them off right off the top of my head. Block those assholes and turn it into a marketing thing to brag about security (security for stupid, careless people at least).

Google: Microsoft for a new century

[TrentTheThief]

Bullshit.

Google wants complete and utter control of the browser and your internet usage.

Fuck the googletron.

Gives me a legitimate reason to use IE

[DewDude]

Can't watch Slingbox without using their plugin, which uses NPAPI. They seem unwilling to update any software...which means I'll have to boot up IE just to use Slingbox.

That is after they make me watch a 15 second advertisement to watch TV I pay for on hardware I pay for on the only valid viewing option on my PC.