Saying Goodbye to Our Old Friend NPAPI
Monday, September 23, 2013
The Netscape Plug-in API (NPAPI) ushered in an early era of web innovation by offering the first standard mechanism to extend the browser. In fact, many modern web platform features—including video and audio support—first saw mainstream deployment through NPAPI-based plug-ins.
But the web has evolved. Today’s browsers are speedier, safer, and more capable than their ancestors. Meanwhile, NPAPI’s 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity. Because of this, Chrome will be phasing out NPAPI support over the coming year.
We feel the web is ready for this transition. NPAPI isn’t supported on mobile devices, and Mozilla plans to make all plug-ins except the current version of Flash click-to-play by default. Based on anonymous Chrome usage data, we estimate that only six NPAPI plug-ins were used by more than 5% of users in the last month. Still, we appreciate that it will take time to transition away from NPAPI, so we will be rolling out this change in stages.
Starting in January 2014, Chrome will block webpage-instantiated NPAPI plug-ins by default on the Stable channel. To avoid disruption to users, we will temporarily whitelist the most popular NPAPI plug-ins that are not already blocked for security reasons. These are:
In the short term, end users and enterprise administrators will be able to whitelist specific plug-ins. Eventually, however, NPAPI support will be completely removed from Chrome. We expect this to happen before the end of 2014, but the exact timing will depend on usage and user feedback. Note that the built-in Flash plug-in and PDF viewer will be unaffected because they don’t use NPAPI.
The Chrome Web Store will also be phasing out NPAPI support. Starting today, no new Apps or Extensions containing NPAPI-based plug-ins will be allowed in the Web Store. Developers will be able to update their existing NPAPI-based Apps and Extensions until May 2014, when updates will be blocked. Also in May, listings for NPAPI-based Apps and Extensions will be removed from the Web Store home page, search results, and category pages. In September 2014, all existing NPAPI-based Apps and Extensions will be unpublished. Existing installations will continue to work until Chrome fully removes support for NPAPI.
There are several alternatives to NPAPI. In cases where standard web technologies are not yet sufficient, developers and administrators can use NaCl, Apps, Native Messaging API, and Legacy Browser Support to transition from NPAPI. Moving forward, our goal is to evolve the standards-based web platform to cover the use cases once served by NPAPI.
UPDATES
Justin Schuh, Security Engineer and Plug-in Retirement Planner
But the web has evolved. Today’s browsers are speedier, safer, and more capable than their ancestors. Meanwhile, NPAPI’s 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity. Because of this, Chrome will be phasing out NPAPI support over the coming year.
We feel the web is ready for this transition. NPAPI isn’t supported on mobile devices, and Mozilla plans to make all plug-ins except the current version of Flash click-to-play by default. Based on anonymous Chrome usage data, we estimate that only six NPAPI plug-ins were used by more than 5% of users in the last month. Still, we appreciate that it will take time to transition away from NPAPI, so we will be rolling out this change in stages.
Starting in January 2014, Chrome will block webpage-instantiated NPAPI plug-ins by default on the Stable channel. To avoid disruption to users, we will temporarily whitelist the most popular NPAPI plug-ins that are not already blocked for security reasons. These are:
- Silverlight (launched by 15% of Chrome users last month)
- Unity (9.1%)
- Google Earth (9.1%)
- Java (8.9%) *
- Google Talk (8.7%)
- Facebook Video (6.0%)
In the short term, end users and enterprise administrators will be able to whitelist specific plug-ins. Eventually, however, NPAPI support will be completely removed from Chrome. We expect this to happen before the end of 2014, but the exact timing will depend on usage and user feedback. Note that the built-in Flash plug-in and PDF viewer will be unaffected because they don’t use NPAPI.
The Chrome Web Store will also be phasing out NPAPI support. Starting today, no new Apps or Extensions containing NPAPI-based plug-ins will be allowed in the Web Store. Developers will be able to update their existing NPAPI-based Apps and Extensions until May 2014, when updates will be blocked. Also in May, listings for NPAPI-based Apps and Extensions will be removed from the Web Store home page, search results, and category pages. In September 2014, all existing NPAPI-based Apps and Extensions will be unpublished. Existing installations will continue to work until Chrome fully removes support for NPAPI.
There are several alternatives to NPAPI. In cases where standard web technologies are not yet sufficient, developers and administrators can use NaCl, Apps, Native Messaging API, and Legacy Browser Support to transition from NPAPI. Moving forward, our goal is to evolve the standards-based web platform to cover the use cases once served by NPAPI.
UPDATES
- November 2013: For more details about NPAPI deprecation, see the NPAPI Deprecation Developer Guide.
- April 2014: NPAPI support was removed from Chrome for Linux in release 35.
- April 2014: Developers will be able to update Apps and Extensions that use NPAPI until their listings are unpublished in September. This deviation from the original schedule is to allow for security updates.
- July 2014: Chrome 37 has switched to a harder-to-bypass blocking UI for NPAPI.
Justin Schuh, Security Engineer and Plug-in Retirement Planner