Google is planning a major changes in the way that Chrome handles many plug-ins. Beginning early next year, Chrome will no longer support the old Netscape Plug-In API and will block plug-ins that use it. Eventually, that will mean that some plug-ins such as Google Earth, Microsoft Silverlight and others eventually will be blocked by the browser.

The change is designed to protect users against legacy security problems and to make the Chrome browser more stable, as well. The Netscape Plug-in API is one of the older methods for extending the architecture and functionality of the browser and was used for more than 15 years to help developers add functionality to the browser. Google’s engineers say that the API has outlived its usefulness and is now a major cause of stability and security problems in Chrome.

“Today’s browsers are speedier, safer, and more capable than their ancestors. Meanwhile, NPAPI’s 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity. Because of this, Chrome will be phasing out NPAPI support over the coming year,” Justin Schuh, a security engineer at Google, wrote in an explanation of the change.

“We feel the web is ready for this transition. NPAPI isn’t supported on mobile devices, and Mozilla plans to block NPAPI plug-ins in December 2013. Based on anonymous Chrome usage data, we estimate that only six NPAPI plug-ins were used by more than 5% of users in the last month. Still, we appreciate that it will take time to transition away from NPAPI, so we will be rolling out this change in stages.”

Google plans to begin blocking NPAPI plug-ins run by Web sites in January 2014, and then over the next few months it will gradually remove all support for it and block all plug-ins that use it. Schuh said that Google will whitelist some plug-ins that use the API, including Silverlight, Google Earth, Google Talk and Java. But those eventually will be blocked, as well. Google also is planning to remove apps from the Chrome Web Store that use the NPAPI.

“Starting today, no new Apps or Extensions containing NPAPI-based plug-ins will be allowed in the Web Store. Developers will be able to update their existing NPAPI-based Apps and Extensions until May 2014, when they will be removed from the Web Store home page, search results, and category pages. In September 2014, all existing NPAPI-based Apps and Extensions will be unpublished. Existing installations will continue to work until Chrome fully removes support for NPAPI,” Schuh said.

Categories: Vulnerabilities, Web Security