The vitriol and hate in response to Google’s decision to move away from NPAPI support is just astounding. You would think that Google was trying to steal their first born children. The ranting and the hatred in some of the comments at the Chromium Blog and other threads over the matter is crazy and born entirely from a place of ignorance. These folks clearly do not understand plug-ins or the direction web browsers are going out of necessity.
Browser plug-ins are about to be history. You may as well get used to it, because no amount of screaming and digging your heels in will change it. Plug-ins are still actively used, but they have over-stayed their welcome. They are full of problems and less useful then they used to be. New standards are moving beyond them. Flash was discontinued in Android a long time ago. Flash has never been supported on Apple’s mobile devices. Chrome is ending NPAPI browser plug-in support and Firefox would be smart to follow suit, though I haven’t seen any plans to the effect. All of these features are instead being integrated directly into the browsers.
A plug-in declares certain content types for the browser. When encountered, the browser loads the associated plug-in. The plug-in is renders the data. The plug-in runs within the browser, as opposed to launching an external application to handle the contents.
Chrome ended support for NPAPI in version 42. NPAPI was disabled by default but could still be enabled temporarily. Chrome versions 45 and higher will not have any support at all for NPAPI. Google was not the first to end support for NPAPI but they are taking the right direction. Internet Explorer saw the end of NPAPI support in version 5.5 SP2 and Microsoft Edge wont even support ActiveX let alone NAPI. Netscape Plugin Application Programming Interface (NPAPI) is a cross-platform plug-in architecture first developed for Netscape browsers. It is still in use by browsers today. Java, Silverlight and many others use this NPAPI to integrate into Chrome and Firefox.
Content running via an NPAPI plug-in has the full permissions of the current user. This can be a serious security flaw if the user has any root or administrative access and still poses issues for accounts with more limited access. It is not sand-boxed or from malicious input by the browser in any way whatsoever. NPAPI poses a serious security risk to users and just is not worth the trouble.
Browser plug-ins in general are not secure. They in fact introduce new security risks into browsers that weren’t already there. Flash and Java are the worst offenders. Browser plug-ins are often available for most browsers and platforms. Vulnerabilities in plug-ins like flash and java can affect you on any operating system or browser you use them on.
Web design focused on new standards like HTML5 will eventually remove the need for most plug-ins NPAPI or otherwise. Plug-ins are frequently have security vulnerabilities, memory leaks, and a severe impact on battery life in mobile devices. Important features of plug-ins are being implemented as built-in browser features. Some are in development still, but many of them are ready. Here’s what’s replacing the most popular plug-ins:
- Flash is already by HTML5 video. Major sites like YouTube are using HTML5 video over Flash by default. Flash unfortunately will be with us for a while. Flash may be less relevant because mobile platforms don’t usually support it, but there is a huge installed base of it for corporate and educational use on the desktop computer.
- Java provides a way of embedding entire software programs on web pages. This has been a security and support nightmare. It probably should not be replaced. An end to NPAPI support is likely a long overdue end to Java in the browser. Java is well known for all the security vulnerabilities that plague the platform. Java applets are often blocked or controlled via user prompts in browsers because of the inherent risk involved in using it. The installed base is dwindling but there are game web-sites, such as Pogo.com that rely on Java applets. There are also some educational materials and teaching resources that make use of applets. Java applets are used in corporate settings as well.
- Microsoft is ending development of Silverlight. Video playback done with Silverlight can be done with HTML 5 instead. The are only a handful of sites that use it and the major ones are moving to HTML 5.
- The Unity 3D plug-in allows for 3D graphics on web pages. This is possible without plug-ins via WebGL. The Google Earth plug-in has already been replaced by it.
- The Google Voice and Video plug-in will be replaced by the WebRTC standard for free real-time audio and video communication but the plug-in is still required for Hangouts and Google Talk for the time being.
You may not be ready willing or able to go plug-in free in your browser of choice. The time is rapidly approaching when there wont be a legitimate need for browser plug-ins though. Most plugins that we know of and have used in the past are already irrelevant because they are no longer used or needed. Many of us will remember needing Windows Media Player, QuickTime, or RealPlayer to play video in a browser. People eventually shifted towards Flash, but now Flash is heading down the same path is it’s predecessors. It is time to realize that the end of Plug-ins is not the end of functionality. It is the beginning of a better way to get the job done.
