Chrome starts pushing Java off the Web by deprecating NPAPI

Google Launches Chrome 42 that deprecates the NPAPI (Netscape Plugin API) due to the numerous problems it caused in the past.

Google has released Chrome 42, a version that implements the important choice to exclude any plugin using the API called NPAPI (Netscape Plugin API) to extend browser functionalities.

The Netscape Plugin API is dated back 1990 and only in from the Chrome 42 it is no more available by default.

In a transitory period, users will be anyway able to re-enable the API, Google plans to remove NPAPI support entirely. Google has already removed on Linux support in Chrome 35 version,

Google decided to remove the NPAPI because it is the primary cause of many incidents.

“But the web has evolved. Today’s browsers are speedier, safer, and more capable than their ancestors. Meanwhile, NPAPI’s 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity. Because of this, Chrome will be phasing out NPAPI support over the coming year.” states a blog post from Chromium.

Google has already removed on Linux support in Chrome 35 version, same choice for browsers in mobile platforms.

“We recently updated our plans to phase out support for NPAPI in early 2015. This guide provides more details about what to expect and alternatives to NPAPI.” states Google. “In September 2015 (Chrome 45) we will remove the override and NPAPI support will be permanently removed from Chrome. Installed extensions that require NPAPI plugins will no longer be able to load those plugins.”

Google suggests various alternatives for the NPAPI, in cases where standard web technologies are not yet sufficient, developers can used NaCl, Apps, Native Messaging API, and Legacy Browser Support.

The experts highlighted that Chrome’s Flash support uses Chrome API called Pepper/PPAPI, for this reason, it will be not impacted by the NPAPI phase out.

What happens with other browsers?

Safari and Firefox continue to support NPAPI, meanwhile Internet Explorer deprecated it in version 5.5 Service Pack 2.

The new Chrome 42 includes various fixes that solve 45 security vulnerabilities in the popular web browser. The principal improvements are:

Advanced Push API and Notifications API
Disabled Oracle’s Java plugin by default as well as other extensions that use NPAPI
Patched 45 security bugs and paid out more than $21,000

Pierluigi Paganini

(Security Affairs – Chrome, NPAPI)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.