Feeds

Google clamps down on rogue Chrome plugins and extensions

There's now just one store and Netscape plugins aren't invited

Top 5 reasons to deploy VMware with Tegile

Updated Google is tightening security on its Chrome web browser by making it harder to install plugins and extensions that could contain malicious code.

The web ad-slinger said in a blog post on Tuesday that it has begun strictly enforcing a policy, first announced in November, that Chrome extensions can only be installed from Google's online store.

The idea is that by mandating a single source for browser extensions, malicious websites won't be able to inject malware into users' browsers by silently installing rogue extensions.

"With this change, extensions that were previously installed may be automatically disabled and cannot be re-enabled or re-installed until they're hosted in the Chrome Web Store," Chrome engineering director Eric Kay wrote.

In addition, the Chocolate Factory announced on Tuesday that it is furthering its plan to shut down plugins that use the somewhat-archaic Netscape Plugin Application Programming Interface (NPAPI) – which, incidentally, is the interface that most every other browser, with the exception of Internet Explorer, still supports.

"NPAPI is being phased out. Consider using alternatives," reads a Chrome help website. "NPAPI is a really big hammer that should only be used when no other approach will work."

Google has been pushing its own plugin interface called "Pepper", or PPAPI, which it claims is superior to the old standard. But no other browser maker seems willing to follow its lead in this area, with Mozilla, in particular, saying it is "not interested in or working on Pepper at this time."

That hasn't stopped Google from venturing out on its lonesome, however. NPAPI support has already been dropped from versions of Chrome for Linux, and for the upcoming Chrome version 37, Google says it will roll out a new UI that makes it harder for websites to run NPAPI plugins on all operating systems.

What's more, beginning on Tuesday, NPAPI-based extensions will no longer appear on the Chrome Web Store's homepage, search results, or category pages. The only way to install such extensions will be via a direct link to the appropriate page in Google's store.

"Most use cases that previously required NPAPI are now supported by JavaScript-based open web technologies," Google engineer Justin Schuh wrote in a blog post. "For applications that need low-level APIs, threads, and machine-optimized code, Native Client offers the ability to run sandboxed native code in Chrome."

The trouble is, no other browser maker seems willing to take up Native Client (aka NaCl – salt, as the companion to Pepper), either. Microsoft parted ways with NPAPI years ago, choosing to let developers extend its browser only via its own, proprietary ActiveX technology. Mozilla, on the other hand, has proffered Asm.js as the way to wring performance out of client-side web code, although it isn't planning to drop NPAPI, either.

Nonetheless, Google has said that users can expect support for NPAPI to be removed from Chrome in a future version, "probably by the end of 2014." At that point, anyone who relies on old-school plugins for their web apps will need to migrate to Konqueror, Opera, Safari, or a Mozilla browser like Firefox or SeaMonkey.  ®

Update

Thanks to a reader for pointing out that Opera does now support Google's PPAPI plugin format, and as of last Wednesday even prefers them. "There are not many PPAPI plug-ins out yet, but they should start to show up soon," the company's blog post hopefully states, though Opera hasn't said whether it intends to phase out NPAPI support, as Google plans to do.

Beginner's guide to SSL certificates

More from The Register

next story
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!
Version 12 first major-number Suse release since 2009
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.