Stating that “NPAPI’s 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity”, Google has announced that it intends to remove the Netscape Plug-in API. Also known as NPAPI, this is the plug-in technology used host application runtimes such as Silverlight, Java, and Unity. They are beginning the process in January by disabling all plugins not a small whitelist. These are:
- Silverlight (launched by 15% of Chrome users last month)
- Unity (9.1%)
- Google Earth (9.1%)
- Google Talk (8.7%)
- Facebook Video (6.0%)
Java, used by 8.9% of Chrome users, will not be whitelisted by default because it is already blocked for security reasons. Other NPAPI-based plugins can be enabled on a case-by-case basis by the user.
Effective immediately, the Chrome Web Store will no longer allow new NPAPI applications to be published. Existing ones can be updated thru May 2014, after which they will no longer appear in “Web Store home page, search results, and category pages”. In September 2014 they will be removed entirely from the store.
By the end of 2014 Google intends to completely remove the Netscape Plug-in API. Developers wishing to continue offering plugs will need to transition to another technology. Justin Schuh, Security Engineer and Plug-in Retirement Planner, writes,
There are several alternatives to NPAPI. In cases where standard web technologies are not yet sufficient, developers and administrators can use NaCl, Apps, Native Messaging API, and Legacy Browser Support to transition from NPAPI. Moving forward, our goal is to evolve the standards-based web platform to cover the use cases once served by NPAPI.
Chrome’s built-in Flash and PDF viewer are not affected as they use a different plugin technology.