The legacy of NPAPI

Oct 15, 2014 by Alin

Netscape Navigator browser"Netscape plug-in Application Programming Interface" (NPAPI) is a cross-browser plug-in architecture. In its early days, it was used by the Netscape browser (you might not remember, but Netscape was one of the first browsers, popular back in the 1990s), and then it has been adopted by the modern browsers. Nowadays, all major browsers (such as Google Chrome, Mozilla Firefox, Opera and Safari) are supporting NPAPI, even though some of them started to phase it out.

The technology can run native machine instructions inside the browser and it inherits the privileges from the browser (the host process), leading to a lot of security issues that affected the development even for the major plug-ins on this market (such as Flash Player). These issues, along with the complex development and frequent memory leaks, hangs and crashes proved that alternatives for NPAPI should be found.

NPAPI support in major browsers

  • Google announced one year ago that it will start to "retire" the NPAPI plug-ins in Chrome, so developers should start to plan the plug-in development using other technologies. Also, starting with January 2014, users must accept and activate a plug-in before starting using it in a web page. Moreover, Google already removed NPAPI support for Linux starting with Chrome 35 and it plans to remove the support on other platforms by the end of 2014. Also, the Chrome Web Store has stopped accepting NPAPI plug-ins since 2013.
  • Opera browserStarting with the version no. 30, Firefox also forces users to activate the NPAPI plug-ins before using them on a web page. This behavior is similar to Google Chrome, however Mozilla didn't announce a time line for completely removing the NPAPI support.
  • Opera already removed the NPAPI support for Linux and will most likely remove the support on Windows shortly after Google Chrome because both browsers are based on the Chromium project.
  • Safari, on the other hand, didn’t receive any updates since 2012, so it’s less likely that its support for NPAPI will change soon.

Whitelisted NPAPI plug-ins

Some popular NPAPI plug-ins have been whitelisted and they don't follow the same restrictions (described above) as other plug-ins, for example: Firefox allows developers to apply for whitelisting their plug-in for a couple of browser releases (but the developers must provide a plan to migrate away from NPAPI). The current list of whitelisted plug-ins include more than 20 plug-ins.

Chrome chose to whitelist the following plug-ins because they are used by more than 5% of their users: Silverlight, Unity, Google Earth, Google Talk and Facebook Video. Adobe Flash Player doesn't use the NPAPI architecture in Google Chrome, so whitelisting this plug-in isn't necessary. However, all the plug-ins will be affected by the end of support planned by Google.

Alternatives to NPAPI

Some alternative to the NPAPI architecture include:

  • PPAPI without NaCl
  • NaCl
  • Web Sockets with an external application
  • Mozilla Extensions js-ctypes
  • Google Native Messaging

More on these alternatives in a future blog post :)

Conclusions

NPAPI brought many useful features and it was an important milestone for web development, but nowadays, due to its security and stability issues, developers have started to look for alternatives. The migration from NPAPI to other technologies is also a huge step for web development and it will affect a lot of companies which will research alternatives for their plug-ins. So, what do you think about this transition and what impact will it have on you?


Update: Alternatives for NPAPI are here!




Comments


rockyhopper commented on 5/11/2015 3:34:50 PM

Nice if it can improve security. But, all main actors of the Web should do the same AND put some efforts on finding alternatives.

For example, I found no replacement for "FFWinPlugin Plug-in - SharePoint 2010" (to open Word Docuemnt from javascript) and Microsoft looks like not ready with an alternative.

Regards.
     

Your Comment:







Blog Home   SBP Home
RSS Feed       Contact








 Blog Archives  |  Terms of Use  |  Privacy Policy
© 2017 SBP Romania. All rights reserved.