NPAPI

Last updated

Netscape Plugin Application Programming Interface (NPAPI) is an application programming interface (API) that allows browser plugins to be developed. It was first developed for Netscape browsers, starting in 1995 with Netscape Navigator 2.0, but was subsequently adopted by other browsers. With the advent of HTML5, all major web browsers have removed support for 3rd party NPAPI plugins for security reasons. There are some smaller browsers such as Pale Moon and Waterfox Classic that retain support for NPAPI plugins.

Contents

In NPAPI architecture, a plugin declares content types (e.g. "audio/mp3") that it can handle. When the browser encounters a content type it cannot handle natively, it loads the appropriate plugin, sets aside space within the browser context for the plugin to render and then streams data to it. The plugin is responsible for rendering the data. The plugin runs in-place within the page, as opposed to older browsers that had to launch an external application to handle unknown content types. NPAPI requires each plugin to implement and expose approximately 15 functions for initializing, creating, deleting and positioning plugin content. NPAPI also supports scripting, printing, full-screen plugins, windowless plugins and content streaming.

NPAPI was frequently used for plugins which required intensive, low-level performance such as video players, including Adobe Flash Player and Microsoft Silverlight, as well as platforms for web applications such as the Java Runtime Environment.

Scripting support

Scripting is a feature allowing JavaScript code in a web page to interact with the plugin. Various versions of Netscape and then Mozilla supported this feature using different technologies, including LiveConnect, XPConnect, and NPRuntime.

LiveConnect

LiveConnect is a feature of Web browsers that allows Java and JavaScript software to intercommunicate within a Web page. From the Java side it allows an applet to invoke the embedded scripts of a page, or to access the built-in JavaScript environment, much as scripts can. Conversely, from the JavaScript side, it allows a script to invoke applet methods, or to access Java runtime libraries, much as applets can. [1] [2]

LiveConnect was used in Netscape 4 to implement scriptability of NPAPI plugins.

The Open Java Interface-dependent implementation of LiveConnect was removed from the Mozilla source code tree in late June 2009 as part of the Mozilla 2 cleanup effort. [3] It is no longer needed with the release of a redesigned Java Runtime Environment from Sun Microsystems. However the old implementation was restored for Gecko 1.9.2, as Apple had yet to port the newer JRE over to Mac OS X. [4]

The Java–JavaScript functionality supported by the redesigned Java Runtime Environment is still called "LiveConnect", despite the Open Java Interface-specific approach having been abandoned. [5] With Netscape 4, NPAPI was extended to allow plugins to be scripted. This extension is called LiveConnect. A plugin could implement a Java class and expose an instance of it. The class could be called from JavaScript and from Java applets running within the page.

The disadvantage of LiveConnect is, that it is heavily tied to the version of Java embedded within the Netscape browser. This prevented the browser from using other Java runtimes, and added bloat to the browser download size, since it required Java to script plugins. Additionally, LiveConnect is tricky to program: The developer has to define a Java class for the plugin, run it through a specialized Java header compiler, and implement native methods. Handling strings, exceptions, and other Java objects from C++ is non-obvious. In addition, LiveConnect uses an earlier and now obsolete application programming interface (API) for invoking native C++ calls from Java, called JRI. The JRI technology has long since been supplanted by JNI.

XPConnect

XPConnect (Cross Platform Connect) is a technology which enables simple interoperation between XPCOM and JavaScript.

Object connection

XPConnect allows JavaScript objects to transparently access and manipulate XPCOM objects. It also enables JavaScript objects to present XPCOM compliant interfaces to be called by XPCOM objects. A main goal is that objects communicating from either side of an XPCOM style interface should not generally need to know or care about the implementation language of the object on the other side of the interface.

XPConnect's primary reason for existence is to replace handwritten code used in places where native code needs to interact with JavaScript code. An example is the DOM module.

Security

Full privileges are only granted by default to chrome scripts, i.e. scripts that are part of the application or of an extension. For remote HTML/XHTML/XUL documents, most XPCOM objects are not accessible by the scripts as they have limited privileges due to security reasons. Even if they are accessible (e.g. the XMLHttpRequest object), the usual security restrictions can also be found (e.g. cannot open URLs of other domains).

Mozilla was already using XPCOM to define the interfaces to many objects implemented in C++. Each interface was defined by an IDL file, and run through an IDL compiler that produced header files and a language-neutral type library that was a binary representation of the interface. This binary described the interface, the methods, the parameters, the data structures and enumerations.

XPConnect uses the type library information to marshal calls between different thread contexts and between JavaScript and natively compiled C++. XPConnect is used extensively throughout Mozilla. Starting with Netscape 6.1 and Mozilla 0.9.2, NPAPI was extended, so that a plugin could return a scriptable interface to itself and XPConnect would marshal calls to it from JavaScript and the C++ implementation.

XPConnect has no Java dependency. However, the technology is based on XPCOM. Thus the plugin developer must be familiar with reference counting, interfaces and IDL to implement scripting. The dependency on XPCOM led to certain dynamic linking issues (e.g. the fragile base class problem) which had to be solved before the plugin would work correctly with different browsers. XPCOM has since been changed to supply a statically linked version to address such issues. This approach also requires an .xpt file to be installed next to the dynamic-link library (DLL); otherwise the plugin appears to work, but the scripting does not, causing confusion.

NPRuntime

At the end of 2004, all major browser companies using NPAPI agreed on NPRuntime [6] as an extension to the original NPAPI to supply scripting, via an API that is similar in style to the old C-style NPAPI and is independent of other browser technologies like Java or XPCOM. It is only supported by Firefox ESR (Extended Support Release) and Safari.

Support/deprecation

Because of the age of the API, security issues, and adoption of alternative technologies such as HTML5, software vendors began to phase out NPAPI support in 2013. [7] [8]


The following list of web browsers support all NPAPI plugins:

Similar technologies

ActiveX

Internet Explorer and browsers based on Internet Explorer use ActiveX controls, ActiveX documents and ActiveX scripting to offer in-page extensibility on par with NPAPI. Although commonly associated with Internet Explorer, ActiveX is integration technology that allows any computer program to integrate parts of other computer programs that support such integration. [36] Internet Explorer, however, is discontinued and its replacement, Microsoft Edge, does not support ActiveX.

PPAPI

On 12 August 2009 a page on Google Code [37] introduced a new project called Pepper, with the associated Pepper Plugin API (PPAPI); [38] PPAPI is a derivative of NPAPI aimed to make plugins more portable and more secure. [39] This extension is designed specifically to ease the implementation of out-of-process plugin execution.

PPAPI was initially only supported by Google Chrome and Chromium. Later, other Chromium-based browsers such as Opera and Vivaldi added PPAPI plugin support.

In February 2012 Adobe Systems announced that future Linux versions of Adobe Flash Player would be provided only via PPAPI. The previous release, Flash Player 11.2, with NPAPI support, would receive security updates for five years. [40] In August 2016 Adobe announced that, contrary to their previous statement, it would again support the NPAPI Flash Player on Linux and keep releasing new versions of it. [41]

In August 2020, Google announced that support for PPAPI would be removed from Google Chrome and Chromium in June 2022. [42]

See also

Related Research Articles

Adobe Flash is a multimedia software platform used for production of animations, rich web applications, desktop applications, mobile apps, mobile games, and embedded web browser video players. Flash displays text, vector graphics, and raster graphics to provide animations, video games, and applications. It allowed streaming of audio and video, and can capture mouse, keyboard, microphone, and camera input.

Plug-in (computing) Software component that adds a specific feature to an existing software application

In computing, a plug-in is a software component that adds a specific feature to an existing computer program. When a program supports plug-ins, it enables customization.

Cross Platform Component Object Model (XPCOM) is a cross-platform component model from Mozilla. It is similar to Microsoft Component Object Model (COM) and Common Object Request Broker Architecture (CORBA). It features multiple language bindings and interface description language (IDL) descriptions; thus programmers can plug their custom functions into the framework and connect it with other components.

ActiveX Software framework by Microsoft introduced in 1996

ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide Web. Microsoft introduced ActiveX in 1996. In principle, ActiveX is not dependent on Microsoft Windows operating systems, but in practice, most ActiveX controls only run on Windows. Most also require the client to be running on an x86-based computer because ActiveX controls contain compiled code.

Comparison of web browsers

The following tables compare general and technical information for a number of web browsers.

A rich web application is a web application that has many of the characteristics of desktop application software. The concept is closely related to a single-page application, and may allow the user interactive features such as drag and drop, background menu, WYSIWYG editing, etc. The concept was first introduced in 2002 by Macromedia to describe Macromedia Flash MX product. Throughout 2000-s, the term was generalized to describe web applications developed with other competing browser plugin technologies including Java applets, Microsoft Silverlight.

Mozilla Firefox has features that allow it to be distinguished from other web browsers, such as Chrome and Internet Explorer.

Add-on is the Mozilla term for software modules that can be added to the Firefox web browser and related applications. Mozilla hosts them on its official add-on website.

A browser extension is a small software module for customizing a web browser. Browsers typically allow a variety of extensions, including user interface modifications, ad blocking, and cookie management.

A local shared object (LSO), commonly called a Flash cookie, is a piece of data that websites that use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions of Flash Player since version 6.

Microsoft Silverlight Application framework for writing and running rich Internet applications

Microsoft Silverlight is a deprecated application framework designed for writing and running rich web applications, similar to Adobe's own runtime, Adobe Flash. A plugin for Silverlight is still available for a very small number of browsers. While early versions of Silverlight focused on streaming media, later versions supported multimedia, graphics, and animation, and gave support to developers for CLI languages and development tools. Silverlight was also one of the two application development platforms for Windows Phone, but web pages using Silverlight did not run on the Windows Phone or Windows Mobile versions of Internet Explorer, as there was no Silverlight plugin for Internet Explorer on those platforms.

iMacros Browser-based application for macro recording, editing and playback

iMacros is a browser based application for macro recording, editing and playback for web automation and testing. It is provided as a standalone application and extensions for the Mozilla Firefox, Google Chrome, and Internet Explorer web browsers. Developed by iOpus/Ipswitch, It adds record and replay functionality similar to that found in web testing and form filler software. The macros can be combined and controlled via JavaScript. Demo macros and JavaScript code examples are included with the software. Running strictly JavaScript based macros were removed in later versions of iMacros browser extensions. However, users can use alternative browser like Pale Moon, based on older version of Mozilla Firefox to use JavaScript files for web based automated testing with Moon Tester Tool.

Google Chrome Web browser developed by Google

Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows built with free software components from Apple WebKit and Mozilla Firefox. It was later ported to Linux, macOS, iOS, and Android where it is the default browser built into the OS. The browser is also the main component of Chrome OS, where it serves as the platform for web applications.

Google Native Client (NaCl) is a sandboxing technology for running either a subset of Intel x86, ARM, or MIPS native code, or a portable executable, in a sandbox. It allows safely running native code from a web browser, independent of the user operating system, allowing web apps to run at near-native speeds, which aligns with Google's plans for Chrome OS. It may also be used for securing browser plugins, and parts of other applications or full applications such as ZeroVM.

WebGL JavaScript bindings for OpenGL in web browsers

WebGL is a JavaScript API for rendering interactive 2D and 3D graphics within any compatible web browser without the use of plug-ins. WebGL is fully integrated with other web standards, allowing GPU-accelerated usage of physics and image processing and effects as part of the web page canvas. WebGL elements can be mixed with other HTML elements and composited with other parts of the page or page background.

The HTML5 specification introduced the video element for the purpose of playing videos, partially replacing the object element. HTML5 video is intended by its creators to become the new standard way to show video on the web, instead of the previous de facto standard of using the proprietary Adobe Flash plugin, though early adoption was hampered by lack of agreement as to which video coding formats and audio coding formats should be supported in web browsers. As of 2020, HTML5 video is the only widely supported video playback technology in modern browsers, with the Flash plugin being phased out.

HTML5 can be used as an alternative to some of the functionality of Adobe Flash. Both include features for playing audio and video within web pages. Flash is specifically built to integrate vector graphics and light games in a web page, features that HTML5 also supports.

Pale Moon (web browser) Web browser

Pale Moon is an open-source web browser with an emphasis on customizability; its motto is "Your browser, Your way". There are official releases for Microsoft Windows and Linux, as well as contributed builds for various platforms.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

References

  1. Flanagan, David. (2006). JavaScript: the Definitive Guide. O'Reilly, Sebastopol, California.
  2. For technical details, see the Mozilla Developer Documentation on LiveConnect.
  3. "442399 – remove LiveConnect from the tree". mozilla.org.
  4. "517355 – Restore OJI, Liveconnect and the JEP on the 1.9.2 branch on OS X". mozilla.org.
  5. "Release Notes for the Next-Generation Java™ Plug-In Technology (introduced in Java SE 6 update 10)". sun.com.
  6. "Scripting plugins". Mozilla Developer Network.
  7. "Change in support for Acrobat and Reader plug-ins in modern web browsers". Adobe. 8 February 2016.
  8. "Oracle deprecates the Java browser plugin, prepares for its demise". Ars Technica. 28 January 2016. Retrieved 15 April 2016.
  9. "Netscape-Style Plug-ins Do Not Work After Upgrading Internet Explorer". Support (3.3 ed.). Microsoft. 27 July 2007.
  10. Giannandrea, J. (4 September 2001). "Microsoft breaks Web Plugins in Windows XP". meer.net. Archived from the original on 16 October 2007.
  11. "Description of Internet Explorer Support for Netscape-Style Plug-ins". Support (3.4 ed.). Microsoft. 31 January 2007.
  12. "Microsoft Security Bulletin MS03-015 – Critical". Security TechCenter. Microsoft. 23 April 2003.
  13. "The final countdown for NPAPI". Chromium Blog.
  14. Google will start blocking most Netscape Plug-In API plug-ins in January 2014, will whitelist Silverlight, Unity & others". TechCrunch. 23 September 2013.
  15. "Google looks to drop Netscape Plugin API support in Chrome, starting with blocking most plugins in January 2014". The Next Web. 23 September 2013.
  16. "Update on NPAPI deprecation". Chromium Blog. 27 May 2014.
  17. "Firefox 52.0, See All New Features, Updates and Fixes". Mozilla.
  18. "Firefox dropping NPAPI plugins by the end of 2016—except for Flash". Firefox Site Compatibility. 4 October 2016. Retrieved 25 January 2017.
  19. "Why do Java, Silverlight, Adobe Acrobat and other plugins no longer work?". Mozilla support. Archived from the original on 2017-03-07. Retrieved 2017-03-06.
  20. "1519434 - Disable Flash support by default in Firefox 69". bugzilla.mozilla.org. Retrieved 2019-01-14.
  21. "Plugin Roadmap for Firefox - Plugins". MDN Web Docs . Retrieved 2021-07-12.
  22. Jim Mathies (13 November 2020). "Removal of NPAPI plugin support in Firefox 85". mozilla.dev.platform (via Google Groups). Retrieved 10 February 2021.
  23. "Plugin Roadmap for Firefox". MDN. 19 January 2021. Archived from the original on 21 January 2021. Retrieved 10 February 2021.
  24. Clover, Juli (September 17, 2018). "Apple Releases Safari 12 for macOS Sierra and macOS High Sierra". MacRumors.
  25. "Safari 14 Release Notes". Apple Developer Documentation.
  26. "Why do Oracle Java, Microsoft Silverlight, Adobe Acrobat Reader and other plugins no longer work?" NPAPI plugins
  27. "SeaMonkey 2.53.7 Release Notes" . Retrieved 14 March 2021.
  28. "NPAPI 是重型武器,当别的方法无法到达你的目的时,才建议使用。". NPAPI 插件.
  29. "Support for all NPAPI plugins (Unity, Silverlight, Flash, Java, authentication plugins, etc.)". Basilisk features.
  30. "Most third-party plug-ins designed for Mozilla/Netscape will also work with K-Meleon".Third party plugins.
  31. "Load all NPAPI-Plugins, Java, Silverlight, etc." K-Meleon Hybrid (Goanna over Pro).
  32. "Full and ongoing support for NPAPI plugins (Java, Silverlight, etc.)". Pale Moon: Technical Details
  33. "Pale Moon supports NPAPI plug-ins. Unlike Firefox, we will not be deprecating or removing support for these kinds of plug-ins". Pale Moon future roadmap.
  34. "We use the NPAPI plugin architecture (just like Mozilla) so just install the plugins normally, and things should work". Uzbl FAQ.
  35. "They should be used responsibly, but Waterfox still supports the use of Java and Silverlight plugins, as well as any other 64-Bit NPAPI plugins. Support for NPAPI Plugins.
  36. "Description of ActiveX Technologies". Support. Microsoft. 19 January 2007.
  37. "ppapi". Google Code . Archived from the original on 2010-07-02.
  38. "Getting Started: Background and Basics – The Chromium Projects". chromium.org.
  39. "Concepts - ppapi - Important concepts for working with PPAPI. - Pepper Plugin API – Google Project Hosting". google.com.
  40. "Adobe and Google Partnering for Flash Player on Linux". adobe.com. Archived from the original on 2012-02-23. Retrieved 2012-03-07.
  41. Campbell, Chris (31 August 2016). "Beta News – Flash Player NPAPI for Linux". Adobe AIR and Adobe Flash Player Team Blog. Adobe Systems. Retrieved 8 September 2016.
  42. Anthony Laforge (August 10, 2020). "Changes to the Chrome App Support Timeline". Chromium Blog.