With the release of Chrome 42 this week, Google fixed more than 40 vulnerabilities. But the most significant security change in the new browser is Google’s decision to disable the NPAPI, essentially turning off plugins such as Java and Silverlight by default.
The decision didn’t come out of nowhere. Google warned developers and users about it more than a year ago and gradually had changed the way Chrome handles some plugins. The company began requiring users to click to run plugins that rely on the NPAPI, an ancient API that was designed to help extend the functionality of browsers. It was the first real way for developers to add functionality to browsers, which were still emerging at the time. But the NPAPI isn’t necessary in today’s world and causes more problems than it solves.
“Today’s browsers are speedier, safer, and more capable than their ancestors. Meanwhile, NPAPI’s 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity. Because of this, Chrome will be phasing out NPAPI support over the coming year,” Justin Schuh of Google wrote in September 2013.
Google has taken a slow approach to this change, as there are a number of popular plugins that rely on it, most notably Java and Silverlight, which are used in various ways across the Web. The final step came this week when Google completely disabled the NPAPI in Chrome 42.
“In April 2015 (Chrome 42) NPAPI support will be disabled by default in Chrome and we will unpublish extensions requiring NPAPI plugins from the Chrome Web Store. All NPAPI plugins will appear as if they are not installed, as they will not appear in the navigator.plugins list nor will they be instantiated (even as a placeholder). Although plugin vendors are working hard to move to alternate technologies, a small number of users still rely on plugins that haven’t completed the transition yet,” Google officials said.
“We will provide an override for advanced users (via chrome://flags/#enable-npapi) and enterprises (via Enterprise Policy) to temporarily re-enable NPAPI (via the page action UI) while they wait for mission-critical plugins to make the transition. In addition, setting any of the plugin Enterprise policies (e.g. EnabledPlugins, PluginsAllowedForUrls) will temporarily re-enable NPAPI.”
That override will disappear later this year, in Chrome 45, when Google completely removes support for the NPAPI from the browser.