More like this

Data Centre

Chrome version 42 will pour your Java coffee down the drain: Plugin blocked by default

NPAPI killed off completely by September

Good riddance to bad Java

The latest release of the Chrome web browser, version 42, will block Oracle's Java plugin by default as well as other extensions that use the deprecated NPAPI.

The Chrome 42 – available now – brings about the end of official support for NPAPI, a move that will render various plugins incompatible with the browser. Among those will be Oracle's Java plugin, which Chromium will refuse to run.

Users can manually toggle a flag in Chrome's settings to enable NPAPI support if they really, really need a blocked plugin. Come September 2015, that option will disappear permanently.

The open-source project has been threatening to kill off NPAPI since 2013, describing it as a dangerous security and stability risk. Refusing to run Oracle's Java plugin certainly reduces the attack surface against the browser.

Earlier this year, Chrome developer Google pushed along the transition by drawing up a whitelist that only allowed a few trusted plugins to run by default. Now that whitelist is no more, and NPAPI plugins are being booted from the Chrome Web Store:

In April 2015 (Chrome 42) NPAPI support will be disabled by default in Chrome and we will unpublish extensions requiring NPAPI plugins from the Chrome Web Store. All NPAPI plugins will appear as if they are not installed, as they will not appear in the navigator.plugins list nor will they be instantiated (even as a placeholder). Although plugin vendors are working hard to move to alternate technologies, a small number of users still rely on plugins that haven’t completed the transition yet. We will provide an override for advanced users (via chrome://flags/#enable-npapi) and enterprises (via Enterprise Policy) to temporarily re-enable NPAPI (via the page action UI) while they wait for mission-critical plugins to make the transition. In addition, setting any of the plugin Enterprise policies (e.g. EnabledPlugins, PluginsAllowedForUrls) will temporarily re-enable NPAPI.

The Chromium team is not alone in pushing for the death of Java-in-the-browser. Everyone from the makers of Minecraft to the US government have taken steps to minimize user exposure the menace of miscreants wielding exploits for Java vulnerabilities.

It probably doesn't help matters, either, that Java was at the center of a nasty legal battle between Oracle and Google over allegations of copyright theft and stolen source code. ®

Sponsored: 2016 Cyberthreat defense report