Pierluigi Paganini April 16, 2015

Google Launches Chrome 42 that deprecates the NPAPI (Netscape Plugin API)  due to the numerous problems it caused in the past.

Google has released Chrome 42, a version that implements the important choice to exclude any plugin using the API called NPAPI (Netscape Plugin API) to extend browser functionalities.

The Netscape Plugin API is dated back 1990 and only in from the Chrome 42 it is no more available by default.

In a transitory period, users will be anyway able to re-enable the API, Google plans to remove NPAPI support entirely. Google has already removed on Linux support in Chrome 35 version,

Google decided to remove the NPAPI because it is the primary cause of many incidents.

“But the web has evolved. Today’s browsers are speedier, safer, and more capable than their ancestors. Meanwhile, NPAPI’s 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity. Because of this, Chrome will be phasing out NPAPI support over the coming year.” states a blog post from Chromium.

Google has already removed on Linux support in Chrome 35 version, same choice for browsers in mobile platforms.

“We recently updated our plans to phase out support for NPAPI in early 2015. This guide provides more details about what to expect and alternatives to NPAPI.” states Google. “In September 2015 (Chrome 45) we will remove the override and NPAPI support will be permanently removed from Chrome. Installed extensions that require NPAPI plugins will no longer be able to load those plugins.”

Google suggests various alternatives for the NPAPI, in cases where standard web technologies are not yet sufficient, developers can used  NaCl, Apps, Native Messaging API, and Legacy Browser Support.

The experts highlighted that Chrome’s Flash support uses Chrome API called Pepper/PPAPI, for this reason, it will be not impacted by the NPAPI phase out.

What happens with other browsers?

Safari and Firefox continue to support NPAPI, meanwhile Internet Explorer deprecated it in version 5.5 Service Pack 2.

The new Chrome 42 includes various fixes that solve 45 security vulnerabilities in the popular web browser. The principal improvements are:

• Advanced Push API and Notifications API
• Disabled Oracle’s Java plugin by default as well as other extensions that use NPAPI
• Patched 45 security bugs and paid out more than $21,000

Pierluigi Paganini

(Security Affairs –  Chrome, NPAPI)