It’s the end of an era. Oracle has announced its intent to nail the coffin shut on the Java browser plugin.
The company confirmed Wednesday that it expects to deprecate the plugin in JDK 9, slated for release in September, and JRE, in a future Java SE release.
Dalibor Topic, a member of Oracle’s Java Strategy Team, posted the news in an entry to the Java Platform Group’s Product Management blog, acknowledging the company’s move toward a “plugin free web,” and that the main reason behind the move is a result of many browsers electing to move on from plugin based technologies.
Google disabled NPAPI, turning off often meddlesome plugins like Java and Silverlight, by default last April. Support for NPAPI was eventually completely removed in Chrome 45, which was pushed out in September 2015. While Mozilla won’t completely remove support for NPAPI plugins in Firefox until the end of 2016, it did take similar steps with Firefox, making Java plugins click-to-play by default back in 2013 to thwart attackers from using them as a vector for compromises.
Internet Explorer and Safari are expected to be the only browsers left that will accept NPAPI plugins after this year.
Partly because the plugin was cross-platform, and updates came infrequently, Java was a beloved target for attackers over the years. In 2012 and 2013 the plugin was virtually ubiquitous on PCs, and it was often difficult to go a few weeks without a new zero day surfacing against the applet.
Topic warns that any developers working on apps that still rely on the Java plugin will switch to something else, like Oracle’s standalone Java framework Java Web Start. For those who can’t wait to get rid of the plugin, he points out that early access releases of JDK 9 are available for download.