Google has shut down most plug-ins built for a decades-old architecture in the beta of Chrome 32, making good on a promise from September that it would nix NPAPI.
NPAPI, for Netscape Plug-in Application Programming Interface, harks back to -- not surprisingly -- Netscape, the 1990s browser that Microsoft drove into oblivion. The NPAPI architecture has long been criticized for slack security, with years of plug-in hacking, particularly of Adobe Flash Player, Adobe Reader and Oracle's Java, backing that appraisal.
In September, Google announced that Chrome would block website-triggered use of NPAPI plug-ins. Chrome 32, which last week entered Google's "Beta" channel -- one of the three it maintains -- will be the first step.
Although Google does not hew to a strict six-week release schedule, as does rival Mozilla for the Firefox browser, the "Stable," or production-quality version of Chrome 32 will probably launch within the first two weeks of 2014.
By default, Chrome 32 Beta blocks all but a handful of NPAPI plug-ins. The six on the whitelist include Microsoft's Silverlight plug-in, which was run by about 15% of all Chrome users in August; and those for Unity, Google Earth, Java, Google Talk, and Facebook Video. The Unity plug-in is required to view 3-D content, mostly games, created with the cross-platform game engine by the same name.
The still-allowed plug-ins will be blocked at some point next year when Google pulls NPAPI support from Chrome.
Google's preliminary ban on NPAPI plug-ins follows years of work to reduce Chrome's reliance on the older architecture. In 2012, for example, Google ported Adobe's Flash Player plug-in to its own PPAPI (Pepper Plugin Application Programming Interface) standard, called "Pepper" for short.
By porting Flash to Pepper, Google's engineers were able to stuff the Adobe plug-in into a "sandbox" as robust as the one that protects Chrome itself.
Chrome, like other browsers, has also used "click-to-play" to block casual use of plug-ins. Under click-to-play, a user must explicitly approve the use of a plug-in when a website or page element requires it. However, with the exception of outdated versions of some plug-ins -- Java is the best example -- Chrome continues to let plug-ins run by default; the user must change a setting to enable click-to-play.
Mozilla plans to take the opposite tack in Firefox 26, which will automatically turn on click-to-play for all NPAPI plug-ins except the most recent version of Flash Player. Firefox 26, currently in Mozilla's Beta channel, is scheduled to ship in Release form on Dec. 10. Unlike Chrome, which has Flash baked in, Firefox still depends on Adobe's NPAPI's external plug-in to execute Flash content.
Mozilla has never said it will follow Google's lead and remove NPAPI support from Firefox. Odds are Mozilla will not, as its browser does not support Google's Pepper architecture, leaving it with little option other than click-to-play.
Google has promised that until it yanks NPAPI support entirely, users and company IT admins will be able to add other plug-ins to the whitelist.
The beta of Chrome 32 can be downloaded from Google's website.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is [email protected].
Read more about web apps in Computerworld's Web Apps Topic Center.