Feeds

Google clamps down on rogue Chrome plugins and extensions

There's now just one store and Netscape plugins aren't invited

Build a business case: developing custom apps

Updated Google is tightening security on its Chrome web browser by making it harder to install plugins and extensions that could contain malicious code.

The web ad-slinger said in a blog post on Tuesday that it has begun strictly enforcing a policy, first announced in November, that Chrome extensions can only be installed from Google's online store.

The idea is that by mandating a single source for browser extensions, malicious websites won't be able to inject malware into users' browsers by silently installing rogue extensions.

"With this change, extensions that were previously installed may be automatically disabled and cannot be re-enabled or re-installed until they're hosted in the Chrome Web Store," Chrome engineering director Eric Kay wrote.

In addition, the Chocolate Factory announced on Tuesday that it is furthering its plan to shut down plugins that use the somewhat-archaic Netscape Plugin Application Programming Interface (NPAPI) – which, incidentally, is the interface that most every other browser, with the exception of Internet Explorer, still supports.

"NPAPI is being phased out. Consider using alternatives," reads a Chrome help website. "NPAPI is a really big hammer that should only be used when no other approach will work."

Google has been pushing its own plugin interface called "Pepper", or PPAPI, which it claims is superior to the old standard. But no other browser maker seems willing to follow its lead in this area, with Mozilla, in particular, saying it is "not interested in or working on Pepper at this time."

That hasn't stopped Google from venturing out on its lonesome, however. NPAPI support has already been dropped from versions of Chrome for Linux, and for the upcoming Chrome version 37, Google says it will roll out a new UI that makes it harder for websites to run NPAPI plugins on all operating systems.

What's more, beginning on Tuesday, NPAPI-based extensions will no longer appear on the Chrome Web Store's homepage, search results, or category pages. The only way to install such extensions will be via a direct link to the appropriate page in Google's store.

"Most use cases that previously required NPAPI are now supported by JavaScript-based open web technologies," Google engineer Justin Schuh wrote in a blog post. "For applications that need low-level APIs, threads, and machine-optimized code, Native Client offers the ability to run sandboxed native code in Chrome."

The trouble is, no other browser maker seems willing to take up Native Client (aka NaCl – salt, as the companion to Pepper), either. Microsoft parted ways with NPAPI years ago, choosing to let developers extend its browser only via its own, proprietary ActiveX technology. Mozilla, on the other hand, has proffered Asm.js as the way to wring performance out of client-side web code, although it isn't planning to drop NPAPI, either.

Nonetheless, Google has said that users can expect support for NPAPI to be removed from Chrome in a future version, "probably by the end of 2014." At that point, anyone who relies on old-school plugins for their web apps will need to migrate to Konqueror, Opera, Safari, or a Mozilla browser like Firefox or SeaMonkey.  ®

Update

Thanks to a reader for pointing out that Opera does now support Google's PPAPI plugin format, and as of last Wednesday even prefers them. "There are not many PPAPI plug-ins out yet, but they should start to show up soon," the company's blog post hopefully states, though Opera hasn't said whether it intends to phase out NPAPI support, as Google plans to do.

Build a business case: developing custom apps

More from The Register

next story
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Mozilla keeps its Beard, hopes anti-gay marriage troubles are now over
Plenty on new CEO's todo list – starting with Firefox's slipping grasp
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.