This article is more than 1 year old

Google clamps down on rogue Chrome plugins and extensions

There's now just one store and Netscape plugins aren't invited

Updated Google is tightening security on its Chrome web browser by making it harder to install plugins and extensions that could contain malicious code.

The web ad-slinger said in a blog post on Tuesday that it has begun strictly enforcing a policy, first announced in November, that Chrome extensions can only be installed from Google's online store.

The idea is that by mandating a single source for browser extensions, malicious websites won't be able to inject malware into users' browsers by silently installing rogue extensions.

"With this change, extensions that were previously installed may be automatically disabled and cannot be re-enabled or re-installed until they're hosted in the Chrome Web Store," Chrome engineering director Eric Kay wrote.

In addition, the Chocolate Factory announced on Tuesday that it is furthering its plan to shut down plugins that use the somewhat-archaic Netscape Plugin Application Programming Interface (NPAPI) – which, incidentally, is the interface that most every other browser, with the exception of Internet Explorer, still supports.

"NPAPI is being phased out. Consider using alternatives," reads a Chrome help website. "NPAPI is a really big hammer that should only be used when no other approach will work."

Google has been pushing its own plugin interface called "Pepper", or PPAPI, which it claims is superior to the old standard. But no other browser maker seems willing to follow its lead in this area, with Mozilla, in particular, saying it is "not interested in or working on Pepper at this time."

That hasn't stopped Google from venturing out on its lonesome, however. NPAPI support has already been dropped from versions of Chrome for Linux, and for the upcoming Chrome version 37, Google says it will roll out a new UI that makes it harder for websites to run NPAPI plugins on all operating systems.

What's more, beginning on Tuesday, NPAPI-based extensions will no longer appear on the Chrome Web Store's homepage, search results, or category pages. The only way to install such extensions will be via a direct link to the appropriate page in Google's store.

"Most use cases that previously required NPAPI are now supported by JavaScript-based open web technologies," Google engineer Justin Schuh wrote in a blog post. "For applications that need low-level APIs, threads, and machine-optimized code, Native Client offers the ability to run sandboxed native code in Chrome."

The trouble is, no other browser maker seems willing to take up Native Client (aka NaCl – salt, as the companion to Pepper), either. Microsoft parted ways with NPAPI years ago, choosing to let developers extend its browser only via its own, proprietary ActiveX technology. Mozilla, on the other hand, has proffered Asm.js as the way to wring performance out of client-side web code, although it isn't planning to drop NPAPI, either.

Nonetheless, Google has said that users can expect support for NPAPI to be removed from Chrome in a future version, "probably by the end of 2014." At that point, anyone who relies on old-school plugins for their web apps will need to migrate to Konqueror, Opera, Safari, or a Mozilla browser like Firefox or SeaMonkey.  ®

Update

Thanks to a reader for pointing out that Opera does now support Google's PPAPI plugin format, and as of last Wednesday even prefers them. "There are not many PPAPI plug-ins out yet, but they should start to show up soon," the company's blog post hopefully states, though Opera hasn't said whether it intends to phase out NPAPI support, as Google plans to do.

More about

TIP US OFF

Send us news


Other stories you might like