Forgot your password?
typodupeerror
Chromium

Google Dropping Netscape Plugin API Support In Chrome/Blink 170

Posted by Unknown Lamer
from the wither-portability dept.
An anonymous reader writes "Google today announced it is dropping Netscape Plugin Application Programming Interface support in Chrome. The company will be phasing out support over the coming year, starting with blocking webpage-instantiated plugins in January 2014. Google has looked at anonymous Chrome usage data and estimates that just six NPAPI plug-ins were used by more than 5 percent of users in the last month. To 'avoid disruption' (read: attempt to minimize the confusion) for users, Google will temporarily whitelist the most popular NPAPI plugins: Silverlight, Unity, Google Earth, Google Talk, and Facebook Video." Google offers NaCl as an alternative, and "Moving forward, our goal is to evolve the standards-based web platform to cover the use cases once served by NPAPI."
This discussion has been archived. No new comments can be posted.

Google Dropping Netscape Plugin API Support In Chrome/Blink

Comments Filter:
  • by Daniel Dvorkin (106857) on Monday September 23, 2013 @06:59PM (#44929231) Homepage Journal

    Standards are wonderful, and everyone should have their very own!

    • NaCl is definitely better than NPAPI. Can you spell "sandbox"?
      • by XanC (644172) on Monday September 23, 2013 @07:10PM (#44929311)

        That may be, but why don't we "evolve" this other thing to cover all the existing use cases BEFORE disabling NPAPI?

        • They will never update their NPAPI plugin while it is still working. Because if it work, don't fix it.

          The NPAPI is only depreciate at this point; the summary state that the most common used ones are white-listed. It is therefore probably not impossible to custom white-list any if your specific need.

      • by am 2k (217885) on Monday September 23, 2013 @07:10PM (#44929313) Homepage

        However, NaCl is definitely not a standard if it's only implemented in a single browser.

        Btw, Unity3D already supports NaCl with the same license that supports the web plugin. Silverlight needs to die anyways, and two of those plugins are Google services.

        • Re: (Score:3, Insightful)

          by LordLimecat (1103839)

          Isnt NPAPI just another "de facto" standard anyways? Pretty sure the "N" stands for "netscape", not "W3C" or "IETF" or "RFC".

          • Things can be de-facto standard, or formalized by an organization (like the ones you mentioned).
            NPAPI is a de facto standard.
            NaCl is not a standard at all, just a protocol a single vendor designed themselves and implemented.

          • Yup. It's a pretty horrible API to and has completely insane integration with both event delivery and drawing, which made sense when you were trying to squeeze the last possible bit of performance out of a 33MHz machine without double-buffered graphics but make absolutely no sense now. It definitely does need to be replaced, the problem is getting people to agree on what. Microsoft tried to make ActiveX a replacement, but no one else adopted it. The only reason NPAPI still survives is that it's the only
        • by Gwala (309968)

          Unity3d may support NaCl; but it has a couple of glaring deficiencies - like a lack of network support (this is apparently a issue with the Pepper API not supporting it). The webplayer (NPAPI) version is unfortunately also a bit faster at runtime.

      • by RamiKro (3019255)

        NaCl is a good implementation of a terrible idea: i.e Running software in the browser is all kinds of wrong.

        • NaCl is "running software in the browser". JavaScript is likewise "running software in the browser", so it appears you'd be against that too. Would you rather require every developer of an Internet-connected application to develop an app for Windows, develop an app for Windows RT, develop an app for OS X, develop an app for GNU/Linux, develop an app for iOS, develop an app for Android, develop an app for Windows Phone, develop an app for Wii U, develop an app for Nintendo 3DS, develop an app for PlayStation
          • Yes. More work to do / less efficient task making = more manpower needed to get jobs done = more demand for software development labor = better job prospects for me. :)
          • by RamiKro (3019255) on Monday September 23, 2013 @07:36PM (#44929485)

            Yes. I am against both. Cross platform programming as an Interpreter running in a sandbox (JavaScript) or a bytecode VM (Java, NaCl...) shouldn't be done through the browser.
            The Internet should be slightly expanded HTML1 and CGI as far as I'm concerned. Maybe with an exception for audio\video if we can agree on a codec...

            Keep application development and serving to the likes of Android's Play Store + Dalvik.

            • by aitikin (909209)

              The Internet should be slightly expanded HTML1 and CGI as far as I'm concerned.

              "No one will need more than 637 kB of memory for a personal computer..."

              • The Internet should be slightly expanded HTML1 and CGI as far as I'm concerned.

                "No one will need more than 637 kB of memory for a personal computer..."

                Apples and oranges. Having more RAM doesn't create a huge security risk like running code in a browser does.

                • by RamiKro (3019255)

                  Even if the security issues could be put to rest, there's no justification for running applications in a document viewer.
                  If Google is so concerned with serving up cross platform applications, they can package a VM and an App Store along with their browser. They can even conceive of their own URI scheme that will pass requests to the App Store to download and initialize Apps on the VM.

                  Is it really too much to expect something better then serving GUIs the likes of Facebook and Gmail inside the browser?

                  • If Google is so concerned with serving up cross platform applications, they can package a VM and an App Store along with their browser.

                    Chrome Web Store already exists on desktop versions of Chrome.

                  • by khellendros1984 (792761) on Tuesday September 24, 2013 @01:26AM (#44931467) Journal

                    there's no justification for running applications in a document viewer.

                    Except that most of the world finds it pretty convenient, and anything we've called a web browser in the last 15 years or so has been much more than a document viewer.

                    If Google is so concerned with serving up cross platform applications, they can package a VM and an App Store along with their browser.

                    They do. The V8 Javascript Engine is implemented as a VM. They include the Chrome Web Store in the desktop version of their browser as well. That doesn't mean that it's not beneficial to run apps delivered over the web in the browser, the way that every other vendor does.

                    Is it really too much to expect something better then serving GUIs the likes of Facebook and Gmail inside the browser?

                    And what's wrong with it? A sandboxed plugin API and Javascript VM makes more sense to me than downloading a native app to handle the same thing, and I down see a benefit to having a some kind of Net-VM app, separate from the browser, to run web apps in. Either way, you're still talking about running someone else's code. From that perspective, keeping the browser integrated with a sandboxed scripting and plugin environment makes more sense than any alternatives I've heard anyone propose.

                  • there's no justification for running applications in a document viewer.

                    I'd violently disagree with the idea that the web should be a repository of documents for document viewers. Your comment essentially embodies all that is wrong with the web and the people who developed it. Alan Kay got it right [youtube.com] and you didn't, deal with it.

                • by hairyfeet (841228) <bassbeast1968@@@gmail...com> on Monday September 23, 2013 @09:36PM (#44930337) Journal

                  Exactly and for an example of what can happen look at the "Yahoo Porn Bug" in my journal, I had customers spamming the living hell out of everyone in their address books and all that took was a little code, a hidden iFrame, and a browser that runs the same permission level as the user, in that case Firefox.

                  Frankly the whole current system is just fucked up, you can have code from as many as a dozen different servers, splattered all over the planet, all just to load a single page. And as more and more websites go "Web 3.0 apps apps apps...did we mention we have apps?" the ability to block all that crap from God knows where diminishes. I think the problem is that JavaScript was just never built with security in mind, it was back in the day when organized cybercrime and the like was the realm of sci/fi and instead of starting over when the thing started getting unsafe we just put bandaids on the bullet wounds.

                  • by TheLink (130905)

                    The real problem is everyone has been coming up with "Go buttons" but there was no decent "Stop button". So to stop some stuff but not others you have to make sure ALL the unwanted Go buttons" are not pressed. And that is not easy to do. Some people say "Use a library" the problem is how do you make sure future "Go buttons" that haven't been invented yet are not pressed either? And how about different browsers behaving differently?

                    So more than 10 years ago I proposed that a "Stop" "button" be created: http: [w3.org]

                • Having more RAM doesn't create a huge security risk like running code in a browser does.

                  Why would running code in a browser create a huger security risk than running code outside of a browser? If anything, the latter is more dangerous. The browser at least is expected to expose only a limited interface for the downloaded code to manipulate the state of your machine. Anything else is a bug.

            • by Anonymous Coward

              and don't even get me started on the horseless carriages...

            • by LordLimecat (1103839) on Monday September 23, 2013 @08:31PM (#44929907)

              Nothing stops you from only writing a webpage thats HTML1 with no JS; just dont be surprised when noone wants to visit it.

              • Re: (Score:3, Informative)

                by _merlin (160982)

                Actually, the fact that HTML1 doesn't exist stops you. HTML2 was an attempt to document what browsers of the time rendered (i.e. it was descriptive, as opposed to the prescriptive HTML3 and later), but there was no HTML1.

              • by RamiKro (3019255)

                Why should I care about visits? I don't live off advertisements and page hits.
                I'm interested in delivering information. A company's portfolio... A product's specifications... A personal contact page... A data sheet... Wikipedia with NoScript is done right as far as I'm concerned.

                • Presentation is highly important in this business. Like it or not, an attractive web site does wonders for the opinion of those who might stumble upon it. It does not have to be laden with graphics and other whiz-bang features that slow down the browser, but a boring page suggests a lack of bother and care by the company, which might translate into related opinions from those who browse the page.

                  Geeks continually misunderstand and downplay the significance of image. Humans are visual creatures - ignore this

              • Nothing stops you from only writing a webpage thats HTML1 with no JS; just dont be surprised when noone wants to visit it.

                If it contained interesting stuff, HTML1 wouldn't stop me visiting it. Actually it might provide nicer experience than a modern web page which is surrounded with advertisement banners and various menus from every side.

            • The Internet should be slightly expanded HTML1 and CGI as far as I'm concerned.

              Usability would be horrible. For example, web-based paint programs [wikipedia.org] can currently use HTML5 Canvas, SWF, or Java. But without any sort of client-side scripting, they would have to use a server-side image map and make a round-trip for each click on the image. And imagine how much longer Slashdot comment pages would take to update if every time you expanded or collapsed a comment, the server had to resend the full text of all other comments.

            • by washort (6555) on Tuesday September 24, 2013 @12:21AM (#44931221) Homepage
              So you think the platform for useful apps should be owned by Google instead of being open to everyone?
            • by FauxReal (653820) on Tuesday September 24, 2013 @07:38AM (#44932689) Homepage
              We should probably just go back to Gopher.
        • No it isn't. NaCl is a great proof of concept. It shows that you can sandbox x86 apps using some static analysis of the binaries and a few other constraints (it also showed that segmentation support on modern x86 chips is pretty poor and terrible on Atom). The problem is that it only works on x86 binaries. What proportion of Web use these days is (ARM-based) phones and tablets? 20%? If you make something that only works for 80% (and falling) of your customers, then that's a problem.

          PNaCl is promising

      • by KiloByte (825081)

        NaCl supports only a tiny subset of NPAPI functionality, it's also not portable beyond i386 and armel.

        NPAPI is just as secure (or more often, insecure) as the browser itself. Some sandboxing is in theory good, but NaCl hardly brings anything you can't already do, at a speed and sanity penalty, in javascript.

        At the moment I have only two plugins installed: Flash and DNSSEC Validator. Tell me how would you implement the latter without either arbitrary network access or calling out to the OS.

        • Re: (Score:2, Insightful)

          by tepples (727027)

          NaCl supports only a tiny subset of NPAPI functionality, it's also not portable beyond i386 and armel.

          To which still-manufacturer-supported platforms is NPAPI portable?

          • Manufacturer of what?
            There's flash plugin for sparc, but they stopped at version 11.2.202.223 while the current one on linux is 11.2.202.310
            But surely there are other NPAPI plugins than Adobe ones, like the totem or mplayer plugins.

            For a web browser, let's see iceweasel 17.0.9 [debian.org] :
            amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 s390x sparc

            • Manufacturer of what?

              Manufacturer of the computer. Mostly I was trying to exclude PowerPC Macs from a discussion of the future direction of NPAPI.

              amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 s390x sparc

              Now let me rephrase my question: For which of these platforms are NPAPI plug-ins still released?

        • by Anonymous Coward

          Our company uses a NPAPI (and activex on IE) plugin to bridge between our website and users' TWAIN scanners/cameras.

          It's a fucking shame that after all the *chans and flickrs and reddit over the last decade that none of the browsers (even on the pads) have an "acquire" button to go with their "browse" button on the file upload box.

          Oh wait, there's now a javascript API that will work on about three phones to get video. Whoop de fuck you I'm out.

        • by oPless (63249)

          Last I looked, NaCl is moving to llvm bytecode, allowing on the fly JITting to x86, Arm, etc.

          The only thing that'll be really annoying is there will be no way to access hardware directly. I wrote a PC/SC plugin ages ago to do just this.

          I guess the only way there now would be writing a signed Java applet...

          But wait ... I can't do that on OSX, because ... Chrome is a 32bit app!

        • by manu0601 (2221348)

          Tell me how would you implement [DNSSEC Validator] without either arbitrary network access or calling out to the OS

          It could be done at the level of the OS' DNS resolver, for the good of all applications, including browsers.

      • by gl4ss (559668)

        can you sell properiaty.. because I sure can't!

        why not sandbox npapi?(yeah yeah, full of problems to do that. but not that much more than nacl).

        also where does this leave say, unity web player? is nacl available as feasible route for other browsers? is nacl even ready?

      • by Elbart (1233584)
        And completely under Google's control. Coincidence?
      • by fa2k (881632)

        NaCl is definitely better than NPAPI. Can you spell "sandbox"?

        Unfortunately, the major purpose of plugins is to break out of the sandbox, to access things like sockets, webcams, local files, hardware information, etc. I haven't seen many plugins for the purpose of running speedy code.

    • I think you mean "Standard-esque"

  • by greggman (102198) on Monday September 23, 2013 @07:12PM (#44929329) Homepage

    I use the AmazonMP3Downloader plugin so when I purchase music from Amazon it gets added to my music library immediately.

    AFAIK PPAPI (and NaCl) can't implement that because they need to save the music to places outside the sandbox.

    Maybe Google can help define a "download to music library" HTML5 API?

    • I use the AmazonMP3Downloader plugin so when I purchase music from Amazon it gets added to my music library immediately.

      AFAIK PPAPI (and NaCl) can't implement that because they need to save the music to places outside the sandbox.

      AmazonMP3Downloader could be split into a part that runs inside Chrome and a separate process that downloads the file, and the two parts would communicate with Chrome native messaging [chrome.com]. It's like when Windows Vista came out: applications that needed to run in the background with administrative privileges needed to be split into an elevated service and a not-elevated GUI.

      • by greggman (102198)

        Yea, that would work. So would a little local server (scary).

        I still think I'd prefer an HTML5 Media Library API. Every piece of native code you ask users to install is yet another vector for trojans and viruses. If Amazon has to write one so will Barnes and Noble, Beatport and any other site that wants to let you download music, videos, books, etc directly into your OS's folders for those things.

        • by tepples (727027)

          Every piece of native code you ask users to install is yet another vector for trojans and viruses.

          This is true whether Amazon MP3 Downloader/Cloud Player is an NPAPI plug-in or a separate process, so I don't see the difference.

    • by AmiMoJo (196126) *

      If AmazonMP3Downloader ever gets popular enough to attract black hats who use vulnerabilities in it to pwn your computer you might change your mind about the value of giving plugins that level of access.

      • by greggman (102198)

        Agreed, Which is why I suggested there should be an HTML API for it. Then there will be no need for a plugin.

  • That's why I don't use chrome. But firefox probably does the same.
  • ...can also offer pepper. Seriously, this is crazy. Everyone knows Google won't do no evil.

  • by Anonymous Coward on Monday September 23, 2013 @07:30PM (#44929445)

    Mark my words: Chrome is going to end up being a second IE 6-like millstone around the IT industrys neck. We are already seeing web sites that only work in Chrome (and Safari, if you're lucky). Firefox, IE (!), and whichever intrepid fourth party browser engines still exist on the periphery, will be reduced to second-class citizens..

    • Chrome renders with Webkit, which is used by multiple browsers. Its also one of the most standards-compliant engines out there; if Firefox / IE arent rendering a page and Chrome (webkit) is, thats probably a deficiency in those browsers' engines' standards support.

      • by BZ (40346)

        Actually, WebKit cuts corners on standards a lot more than Firefox and IE do. For example, the official CSS 2.1 test suite from when the standard was finalized two years ago shows WebKit passing about 89% of the tests (for comparison, Firefox passed about 97%).

        If Firefox/IE aren't rendering a page and WebKit is, it's almost always because the page author has written WebKit-specific code (e.g. used -webkit CSS prefixes on properties that are supported without a prefix in other browsers).

        What WebKit and espe

        • by Lehk228 (705449)
          I have not seen a page that firefox doesn't render correctly since it was called firebird.

          my fiance insists on using chrome despite constantly having weird issues with it.
        • by dkf (304284)

          If Firefox/IE aren't rendering a page and WebKit is, it's almost always because the page author has written WebKit-specific code (e.g. used -webkit CSS prefixes on properties that are supported without a prefix in other browsers).

          The problem isn't using browser-specific extensions. The problem is that the page doesn't work without them. What's really wanted is a way to tell a browser to disable all vendor-specific extensions and to have everything be according to standard (or disabled) so that authors can check their stuff ahead of time.

          Checking stuff ahead of time? Hah! I can dream...

  • The new IE is here (Score:4, Interesting)

    by Billly Gates (198444) on Monday September 23, 2013 @07:32PM (#44929459) Journal

    More and more Chrome is reminding me of IE from the humble IE 4 which was the best browser to the jaguarnut of IE 6 which still has not completely died off yet in China and some corporate portals.

    Chrome rushes to throw HTML 5 and CSS 3 features not standardized on W3C so they can pass HTML5test and calls them HTML 5 and CSS 3 but really are made just like box model and CSS were invented by IE. The W3C in the end decided to make it a little different which is why when Firefox went one way the corps hung onto IE 6 instead.

    This NACL and plugins is all 21st activeX to me. If MS did this for IE 11 everyone would be screaming bloody murder.

    • by gQuigs (913879)

      Are you sure that's your sig (Save IE6), or was that the end of your argument :)

    • by StripedCow (776465) on Tuesday September 24, 2013 @04:25AM (#44932059)

      From the NaCl FAQ:

      Is Native Client open? Is it a standard?
      Native Client is completely open: the executable format is open and the source code is open. Right now the Native Client project is in its early stages, so it's premature to consider Native Client for standardization.

      You think that NaCl might lock you in to some proprietary standard, but the complete opposite is true: if you want, you can build your own version of HTML and CSS in NaCl, or build your own programming language. Hell, you can build a browser in NaCl.

    • by knarf (34928)

      the jaguarnut of IE 6

      Elephant bollocks. I guess you meant juggernaut [wikipedia.org]? No nuts there but more to the point.

  • I simply cannot function without that browser add-on. Why is Google doing this? I will be forced to switch browsers. :(
    • by gl4ss (559668)

      dunno why lastpass would need npapi. I don't use it, but I would guess lastpass acts more as a browser plugin, in the sense that it is a plugin for the browser and not a plugin for handling elements on the page that the page creator declared that plugin would handle(like a box on the page that's supposed to show a flash animation).

  • I find it telling that even Google Earth doesn't use NaCl yet.

  • Quake Live runs their engine through a NPAPI plugin. They're supposed to port that to NaCl just for Chrome users? More likely they'll just not support it and ask people to switch to Firefox.

    • by msobkow (48369)

      You still play Quake?

      How... quaint.

      • You still play Quake?

        How... quaint.

        Hey, why not! I support the idea that games from any era can be played at any time. BTW Quake 3 Arena was still the game used for tournaments held at QuakeCon 2013. Playing both old and new stuff makes a nice mix of entertainment.

  • Torture.... (Score:5, Funny)

    by wbr1 (2538558) on Monday September 23, 2013 @09:24PM (#44930251)
    Google once again shuts down a service/feature, but this time they have the audacity to rub NaCl in the wound. That burns, it really does.
  • I used to have a programming job which involved maintaining a large C++ codebase which was shipped as a Windows desktop app, a Mac desktop app, NPAPI plugins on both Windows and Mac, and an Active X control. As it was written before 'modern' Mac NPAPI, you can imagine how ridiculously convoluted it was converting the Mac plugin to support such necessities as Core Animation layer rendering, and the sandboxed event handling that Safari moved to as an attempt to make NPAPI plugins secure. So I spent literally
  • It's not a standard just because you publish the documentation. Or can I make the Hugo-Plugin-Standard now?

    Google is just being a bully because of it's position. "Adopt our made-up standards, or don't interact with us."

  • This is going to make the VMWare browser-based console not functional, which was the only way to manage your VMWare instances in linux.... super.

    • by afidel (530433)

      Linux isn't supported in 5.5 anyways since they upped the flash version requirement to greater than the last version available for Linux.

The disks are getting full; purge a file today.

Working...