Google Shuts Off NPAPI in Chrome

With the release of Chrome 42 this week, Google fixed more than 40 vulnerabilities. But the most significant security changeĀ in the new browser is Google’s decision to disable the NPAPI, essentially turning off plugins such as Java and Silverlight by default.

The decision didn’t come out of nowhere. Google warned developers and users about it more than a year ago and gradually had changed the way Chrome handles some plugins. The company began requiring users to click to run plugins that rely on the NPAPI, an ancient API that was designed to help extend the functionality of browsers. It was the first real way for developers to add functionality to browsers, which were still emerging at the time. But the NPAPI isn’t necessary in today’s world and causes more problems than it solves.

“Today’s browsers are speedier, safer, and more capable than their ancestors. Meanwhile, NPAPI’s 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity. Because of this, Chrome will be phasing out NPAPI support over the coming year,” Justin Schuh of Google wrote in September 2013.

Google has taken a slow approach to this change, as there are a number of popular plugins that rely on it, most notably Java and Silverlight, which are used in various ways across the Web. The final step came this week when Google completely disabled the NPAPI in Chrome 42.

“In April 2015 (Chrome 42) NPAPI support will be disabled by default in Chrome and we will unpublish extensions requiring NPAPI plugins from the Chrome Web Store. All NPAPI plugins will appear as if they are not installed, as they will not appear in the navigator.plugins list nor will they be instantiated (even as a placeholder). Although plugin vendors are working hard to move to alternate technologies, a small number of users still rely on plugins that haven’t completed the transition yet,” Google officials said.

“We will provide an override for advanced users (via chrome://flags/#enable-npapi) and enterprises (via Enterprise Policy) to temporarily re-enable NPAPI (via theĀ page action UI) while they wait for mission-critical plugins to make the transition. In addition, setting any of the plugin Enterprise policies (e.g. EnabledPlugins, PluginsAllowedForUrls) will temporarily re-enable NPAPI.”

That override will disappear later this year, in Chrome 45, when Google completely removes support for the NPAPI from the browser.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.


  • Anonymous on

    I would like to see Google solve the issue of Adobe Shockwave Flash constantly crashing. The crash occurs regardless of whether Shockwave executes from the Google folder or the system folder.
    • Anonymous on

      Adobe Shockwave and Adobe Flash are two different things. I am also a regular Google Chrome user and rarely can I recall when Adobe Flash has crashed in my browser.
  • Anonymous on

    Google's pepperflash is crap and has been since it started. Overall, chrome with it's multitude of processes has gone downhill. Better? I don't think so.
  • Anonymous on

    Here here! Yes, definitely get that fixed ASAP. It is very annoying. And don't tell us the fix is to get rid of flash because there are still many things that flash does that can't be done as easily or executed as quickly using javascript/jscript. Flash Games being one.
  • Tiger on

    They should consider to include Unity Web Player as they did with the flash
  • :l on

  • ben l on

    And this is the day that chrome dies a horrible death. Well, for me at least. As someone who works in I.T. and has to manage many pieces of equipment through java webstart launched web interfaces, I can't really continue to use chrome. I'm sure I'm not alone. Holy shit the captchas on this page are fucked up.
    • dickbutt on

  • fuckflash on

    Fuck Flash...glad it is dying...too slowly though...
  • Anonymous on

    It makes no sense to turn off the Adobe Reader plugin and leave only the basic Chrome PDF viewer which has no search, and poor navigation. By doing this Google gives IT departments at major corporations a major user problem, so next time they will be hesitant to include Chrome in their plans. Will Google be successful with just the casual web surfer audience? I don't think so.
  • dickbutt on

  • pissed on

    The new update is crap. The built-in Adobe Flash is slow and fails to show video's properly.. why they f* it up is beyond me.. Chrome used to be a good browser.. now it's going the way of Microsoft.. "fixing" things that don't need to be fixed..
  • Applet Lover on

    Looks like a perfect time to switch to Firefox!
  • Applet Lover on

    The real reason to get rid of Flash and Java is that Google's advertising can't be injected into applications using those technologies.
  • Zubair Ahmed on

    • Henning Dahl on

      run: chrome://flags/#enable-npapi It will turn NPAPI on again :)
  • Matt Mize on

    Finishing the install for Firefox now... All the HP apps I need as Java based. #timeforachange
  • Anonymous on

    Looks like it's time to switch browsers - too bad, Chrome was such a nice switch. Too bad their forcing the users to go elsewhere. Google isn't big yet to force the internet to switch technology - just browsers and away from their own.
    • Doug on

      Except it appears that Firefox will also stop supporting NPAPI
  • thdhdfhd on

    This is a dick move to those who use Chrome with a disabled Pepperflash for the least amount of lag. I read on google's page about this topic that 'new browser technology is more secure and faster' and that's bullshit. If it's faster then why does it lag more in Pepperflash? Google makes it the biggest pain in the ass to disable auto updates. Even if I succeed, that means I can't use it at a friend's house. Seriously a stupid move to disable it completely. I agree @ whoever said they just want to force users to see their ads. Nothing else explains this poor move.
  • jimmie hultman on

    Google must have been captyred by the same CAPITALISTS who screwed-up the world economy !
  • Jonesy on

    One word: Vivaldi heh... "Google" it.
  • Google is screwing up my productivity on

    Google is pure evil.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.