Feeds

Google clamps down on rogue Chrome plugins and extensions

There's now just one store and Netscape plugins aren't invited

Remote control for virtualized desktops

Updated Google is tightening security on its Chrome web browser by making it harder to install plugins and extensions that could contain malicious code.

The web ad-slinger said in a blog post on Tuesday that it has begun strictly enforcing a policy, first announced in November, that Chrome extensions can only be installed from Google's online store.

The idea is that by mandating a single source for browser extensions, malicious websites won't be able to inject malware into users' browsers by silently installing rogue extensions.

"With this change, extensions that were previously installed may be automatically disabled and cannot be re-enabled or re-installed until they're hosted in the Chrome Web Store," Chrome engineering director Eric Kay wrote.

In addition, the Chocolate Factory announced on Tuesday that it is furthering its plan to shut down plugins that use the somewhat-archaic Netscape Plugin Application Programming Interface (NPAPI) – which, incidentally, is the interface that most every other browser, with the exception of Internet Explorer, still supports.

"NPAPI is being phased out. Consider using alternatives," reads a Chrome help website. "NPAPI is a really big hammer that should only be used when no other approach will work."

Google has been pushing its own plugin interface called "Pepper", or PPAPI, which it claims is superior to the old standard. But no other browser maker seems willing to follow its lead in this area, with Mozilla, in particular, saying it is "not interested in or working on Pepper at this time."

That hasn't stopped Google from venturing out on its lonesome, however. NPAPI support has already been dropped from versions of Chrome for Linux, and for the upcoming Chrome version 37, Google says it will roll out a new UI that makes it harder for websites to run NPAPI plugins on all operating systems.

What's more, beginning on Tuesday, NPAPI-based extensions will no longer appear on the Chrome Web Store's homepage, search results, or category pages. The only way to install such extensions will be via a direct link to the appropriate page in Google's store.

"Most use cases that previously required NPAPI are now supported by JavaScript-based open web technologies," Google engineer Justin Schuh wrote in a blog post. "For applications that need low-level APIs, threads, and machine-optimized code, Native Client offers the ability to run sandboxed native code in Chrome."

The trouble is, no other browser maker seems willing to take up Native Client (aka NaCl – salt, as the companion to Pepper), either. Microsoft parted ways with NPAPI years ago, choosing to let developers extend its browser only via its own, proprietary ActiveX technology. Mozilla, on the other hand, has proffered Asm.js as the way to wring performance out of client-side web code, although it isn't planning to drop NPAPI, either.

Nonetheless, Google has said that users can expect support for NPAPI to be removed from Chrome in a future version, "probably by the end of 2014." At that point, anyone who relies on old-school plugins for their web apps will need to migrate to Konqueror, Opera, Safari, or a Mozilla browser like Firefox or SeaMonkey.  ®

Update

Thanks to a reader for pointing out that Opera does now support Google's PPAPI plugin format, and as of last Wednesday even prefers them. "There are not many PPAPI plug-ins out yet, but they should start to show up soon," the company's blog post hopefully states, though Opera hasn't said whether it intends to phase out NPAPI support, as Google plans to do.

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Nexus 7 fandroids tell of salty taste after sucking on Google's Lollipop
Web giant looking into why version 5.0 of Android is crippling older slabs
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
SLURP! Flick your TONGUE around our LOLLIPOP – Google
Android 5 is coming – IF you're lucky enough to have the right gadget
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.