Google delays demise of old-style Chrome plug-ins

[Matsuda]

Browser will now drop NPAPI plug-in support in September 2015

Google on Monday gave traditional Google plug-ins a stay of execution and instead outlined a three-step plan that will finalize their demise in 10 months. The delay was the latest move in a year-long plan by Google to ban plug-ins built to a decades-old standard, a decision it has pitched as a security enhancement.

NPAPI (Netscape Plug-in Application Programming Interface) is the plug-in standard that harks back to Netscape, the 1990s browser that Microsoft buried in its antitrust-triggering battle over the browser market. NPAPI has long been the most popular plug-in standard, and is still supported by Apple's Safari, Mozilla's Firefox and Opera Software's Opera. (Microsoft's Internet Explorer (IE) has always relied on its own proprietary ActiveX architecture.)

But NPAPI has been criticized for slack security, with years of plug-in hacking proving opponents right. In response, Google has pursued its own plug-in architecture, dubbed PPAPI (Pepper Plugin API), pronounced "pepper," that runs code inside a "sandbox," an anti-exploit technology designed to at least hinder hackers from pushing malware onto machines.

Opera is the only other browser that currently supports PPAPI -- not surprising, since it's built atop the same browser engine that powers Chrome.

In September 2013, Google announced it would pull support for all NPAPI plug-ins from Chrome by the end of 2014. The Mountain View, Calif. company reiterated that pledge in May, although it hedged by applying the word "probably" to the timeline.

The end-of-2014 deadline has now been extended.

In a blog post Monday, Justin Schuh, a Google software engineer, provided an update that spelled out a new three-step process to gradually reduce NPAPI support rather than yank it in one quick move. "Although plug-in vendors are working hard to move to alternate technologies, a small number of users still rely on plug-ins that haven't completed the transition," Schuh said to explain the change.

Those "alternate technologies" for managing and playing video and audio, generating other content, and serving as foundations for Web-based apps are predominately, but not exclusively, based on HTML5 and JavaScript.

In January, Google will discontinue the "whitelist" that currently lets only a handful of NPAPI plug-ins, including Oracle's Java and Microsoft's Silverlight, run without popping up a warning. At that point, NPAPI plug-ins will continue to work within Chrome, but all will present a pop-up alert and require user approval.

Come April 2015, Chrome will stop supporting NPAPI plug-ins by default, although users can override the ban. Consumers can switch support back on via the chrome://flags options, while corporations running the browser can do the same through the Google Apps control panel or Windows' Group Policy. Also in April, Google will pull add-ons that require a NPAPI plug-in from the Chrome Web Store.

Chrome will finally be stripped of all NPAPI support in September 2015, when even an override won't work.

As Google continues to deprecate NPAPI plug-ins and eventually eliminate support, some users may need to run an alternate browser -- such as Firefox, Opera or Safari -- to interact with sites that require the older technology.

"What about Web pages, like most -- if not all -- banks in Brazil, that need Java?" asked one user in a comment appended to Schuh's blog.

Google offered more information on its Chrome plug-in strategy in a developers guide available on its website.



Original Article