Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Firefox Mozilla

Firefox Support For NPAPI Plugins Ends Next Year (mozilla.org) 147

An anonymous reader writes: Mozilla announced that it will follow the lead of Google Chrome and Microsoft Edge in phasing out support for NPAPI plugins. They expect to have it done by the end of next year. "Plugins are a source of performance problems, crashes, and security incidents for Web users. ... Moreover, since new Firefox platforms do not have to support an existing ecosystem of users and plugins, new platforms such as 64-bit Firefox for Windows will launch without plugin support." Of course, there's an exception: "Because Adobe Flash is still a common part of the Web experience for most users, we will continue to support Flash within Firefox as an exception to the general plugin policy. Mozilla and Adobe will continue to collaborate to bring improvements to the Flash experience on Firefox, including on stability and performance, features and security architecture." There's no exception for Java, though.
This discussion has been archived. No new comments can be posted.

Firefox Support For NPAPI Plugins Ends Next Year

Comments Filter:
  • Experience? (Score:5, Insightful)

    by Anonymous Coward on Saturday October 10, 2015 @07:51AM (#50698345)

    Too much use of the word 'experience' shows that Mozilla has been taken over by managers.

    • by Anonymous Coward on Saturday October 10, 2015 @07:57AM (#50698349)

      That's a nice first post experience you had there!

    • by Anonymous Coward

      Nope, it means they are older than 14 and have a corresponding vocabulary.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        Nope, experience is a bullshit bingo word because it triggers the positive association that people have with knowledge which is gained through experience. But while it sounds positive, it doesn't actually make a qualitative or quantitative claim one way or the other in the way it is used by business people. "The web experience" just means that people are using the web. They could be hating it from start to finish, not learning a thing on the way, and it would still be their web experience.

    • by idji ( 984038 )
      Too much use of the word "features" leads to bloat and forgetting what people are using the software for.
  • Thing is, I absolutely refuse to browse the web without the plugins which increase my security....noscript AND requestpolicy.

    Anything else is just not responsible. Unless mozilla intends to make script blocking and 3rd party contend loading control as core features (as they should be), then....I wont be using it.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Wrong type of plugin. This is about plugins like Flash, such as ... uh ... I dunno, Adobe PDF reader? The Java plugin, I guess. Things like that. Basically nothing anyone will miss.

      Of course, they're also killing support for NoScript and requestpolicy, except that happens earlier than "the end of next year." The timeline for support for those to be removed is mid-2016, as I recall.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Of course, they're also killing support for NoScript

        Odd. Giorgio Maone, the author of NoScript, says Mozilla isn't doing that [hackademix.net]. It's almost as if you don't know what you're talking about.

        • Of course, they're also killing support for NoScript

          Odd. Giorgio Maone, the author of NoScript, says Mozilla isn't doing that [hackademix.net]. It's almost as if you don't know what you're talking about.

          This is the Internet, and Slashdot! How dare you accuse someone of not knowing what they are talking about!

      • And that's the crazy thing about this, they're deprecating NPAPI, whose main user is Flash, "for security reasons", but specifically leaving in support for... Flash, the most dangerous, buggy attack vector there is. It's like the TSA announcing that they're going to continue running their long-running security theatre performance in order to annoy all travellers, but will be waving through anyone with dynamite strapped to their body.
        • by TheCarp ( 96830 )

          Actually you know what it reminds me of....

          Back in days of old there was a Place called Buzzy's in Boston. It was a tiny little corner take out place downtown. They had roast beef and the whole menu was cartoon art. They were open late, and right by a train station.

          Well One day they were shut down, if I remember, there was a big IRS sign about the property being seized. Then a year or three later, there was Buzzy's again, under new management. Mostly the same menu..... but then I saw an interview with the n

    • by WD ( 96061 ) on Saturday October 10, 2015 @08:50AM (#50698497)

      Add-ons will continue to work. This is talking about NPAPI plugins.

      • by cfalcon ( 779563 )

        Will noscript continue to work? That's the only 100% mandatory one IMO, and it sounds like they might be working to keep noscript available somehow.

        I think we'll need those features for the next generation of in-browser ad blockers, though. I dunno that for sure.

        • I sure hope so.
          I too have at 2 must have mandatory inclusions to Firefox, no script and firebug. Then there is a couple nice to have such as the YT center plugin that "fixes" the ads, on-demand or as needed loading, etc. and some media plugins (Google talk, VLC, QT, etc.) that helps with embedded media on this old xp machine.
    • Re:Is this goodbye? (Score:4, Informative)

      by Anonymous Coward on Saturday October 10, 2015 @09:06AM (#50698545)

      Plug-ins != add-ons

  • by 140Mandak262Jamuna ( 970587 ) on Saturday October 10, 2015 @08:36AM (#50698457) Journal

    Of course, there's an exception: "Because Adobe Flash is still a common part of the Web experience for most users, we will continue to support Flash within Firefox as an exception to the general plugin policy. Mozilla and Adobe will continue to collaborate to bring improvements to the Flash experience on Firefox, including on stability and performance, features and security architecture."

    The moral is, if you screw up in small scale you pay the price. If you screw up in gigantic scale, others will accommodate you. Small borrowers get foreclosed. Gigantic debtors get bailed out. Minor plug-ins with stability and security issues get pulled.Even major ones like java. But you screw up in gigantic scale like Adobe Flash, the market prices your misdeeds in and expects others to act knowing, "yeah, Adobe Flash is a mess, but we know it is a mess, we need to work around it".

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I was going to post pretty much the same thing. Yes, let's close off all those insecure plugins, but give FLASH a pass. The worst offender of the bunch for security and stability issues. Flash: the Citibank of plugins.

      • by Anonymous Brave Guy ( 457657 ) on Saturday October 10, 2015 @09:10AM (#50698555)

        It's not even as if Java is a huge security problem today. It's effectively been click-to-play by default in all major browsers for a long time, and the plug-in itself then has a bunch more security safeguards before it will trust remote code to do just about anything.

        As I seem to have to point out every time this subject gets raised, this is a horrible move in terms of preserving useful content on the web. A lot of things that have been done with plug-ins like Java or Silverlight are small and in-house, like the math lecturer's interactive visualisation of something in their course, or the applet some guy in sales wrote a few years ago for the intranet so the group managers could see a quick overview of how everything is going and copy the data straight into their Excel spreadsheet. Of course they have also been used for a lot of GUIs for networked devices, where things like drawing interactive charts wasn't possible using native web technologies until relatively recently.

        Many of these useful tools won't have dedicated maintainers and they aren't magically going to get rewritten to use the new blessed technologies. Closing them off in Firefox as well just means anyone who actually relies on them is now left on IE forever. Again.

        • Closing them off in Firefox as well just means anyone who actually relies on them is now left on IE forever. Again.

          They could just as easily use an old version of Firefox instead. It's not like the previous versions are going anywhere, and it isn't unreasonable for ancient, unmaintained web sites using obsolete plugins to require a contemporary web browser.

          • ...it isn't unreasonable for ancient, unmaintained web sites using obsolete plugins to require a contemporary web browser.

            Where by ancient you mean written more than a year ago, by unmaintained you mean without dedicated resources available to rewrite the entire thing every few months, and by obsolete you mean no longer working in browsers with rapid updates but still working just fine in trusty, stable IE?

            The idea that something that worked just a year or two ago should no longer work on today's browsers is unreasonable. Much of the reason the web has been successful is that it has been standardised and future-proof. There we

            • The idea that something that worked just a year or two ago should no longer work on today's browsers is unreasonable.

              There will always be a cut-off point where support for older interfaces is dropped. The standard is not whether something worked a year or two ago, but whether it followed the recommended best practices in effect at that time. If you write a site using standards on the verge of being declared obsolete, you have no one to blame but yourself. Dependence on NPAPI plugins hasn't been best practice for a long time now, much longer than one year; Flash is the only plugin with any widespread support left, and it'

              • by Anonymous Brave Guy ( 457657 ) on Saturday October 10, 2015 @09:10PM (#50701493)

                The standard is not whether something worked a year or two ago, but whether it followed the recommended best practices in effect at that time.

                The important thing is always whether something works properly. Everything else -- formal standards, compatibility work, portability work -- is just a means to that end.

                If you write a site using standards on the verge of being declared obsolete, you have no one to blame but yourself.

                Which is an easy argument to make until someone points out that in these cases the people declaring something "obsolete" are frequently biased and, in particular, advocating a new and inferior replacement.

                Dependence on NPAPI plugins hasn't been best practice for a long time now, much longer than one year

                And yet viable alternatives to the things we've been doing successfully with various plug-ins for literally a decade or more have barely been around that long, and in many cases are still obviously and objectively worse in significant respects today.

                Flash is the only plugin with any widespread support left, and it's been on its way out for a while.

                Not in corporate use. Not even close.

                Sites which depend on such plugins already fail on mobile browsers, which are becoming more and more popular and haven't even supported Flash for several years, much less other plugins.

                And the corporates mostly don't care, because they have real work to do and provide their staff with real computers to do it. No-one is preparing their quarterly accounts presentation on an iPhone.

                Plugins, on the other hand, have always been a compatibility nightmare—non-standardized, proprietary, and non-portable.

                And yet Java applets were recognised as early at the <applet> tag somewhere back in the 90s, while Flash has been one of the most successfully standardised parts of web history in terms of both portability and longevity. I suspect only HTTP, HTML 4 and CSS 2.1 have been more successful in those respects.

                If you like standards and cross-browser compatibility, you should be backing this change.

                I like things that work. To be fair, I also like the new "standard" and "cross-browser compatible" features, but for a very different reason: they are still so badly implemented so often, and broken so often by browser updates, that I make an awful lot of money fixing things that rely on them.

                fewer one-off, closed-source, browser- and OS-specific binary plugins

                Because ECE for multimedia playback and graphics drivers to accelerate WebGL are so much better?

                IE itself is deprecated

                It really isn't, in any practical sense. Realistically, Microsoft are going to continue supporting it until at least 2020 because of the Win7 support, and because dropped it would cost them the support of the business community that makes up the lion's share of revenues.

                For perspective, that is more than 30 six-weekly update cycles of various other major browsers where businesses don't have to worry unduly about something they rely on being arbitrarily broken.

        • by isj ( 453011 )

          The content plugin support has always been a mixed blessing. It was sometimes useful as a stop-gap until the browsers supported some new form of content (eg. SVG, MathML, ...). With the removal of plugin support and acceleration of the death of plugins it means that new content forms will have to be implemented in all browsers, which seems wasteful to me.

          On the other hand, with the current feature set of html5+javascript+canvas+webgl you can make quite good interfaces. In the odd (but not completely rare) c

          • by Anonymous Brave Guy ( 457657 ) on Saturday October 10, 2015 @11:59AM (#50699209)

            I make browser-based user interfaces for a living, and I can say without hesitation that a lot of these new technologies aren't ready for prime time yet (though that's not going to stop Google, Apple and Mozilla treating them as if they are).

            SVG and Canvas performance is highly variable. There are sometimes serious rendering glitches in some of the browsers as well, even looking at quite simple cases. Plus issues with events not propagating properly, which variation of animations we're supporting this week, etc.

            MathML is only supported usefully in Firefox and Safari.

            HTML5 audio/video is just a gigantic mess, not only in the lack of any portable format for each that works just about everywhere, but also in terms of browser controls, cache behaviour, even basic stuff like triggering corresponding JS events at the right time or showing the right poster image for a video. Plus of course there's the whole ECE mess, which is corrupting the open web with DRM, creating whole new attack vectors, or just another kind of plug-in that now needs to be developed and then ported across platforms instead of the old ones, depending on who you'd like to hate it the most right now.

            WebGL is interesting but support is generally still patchy. It's also worth noting that like any of the other hardware-accelerated features here, it's going to create more attack surface, which is why the argument that browser features are somehow more likely to be secure than the equivalent plug-in features they're replacing is just silly.

            As a final comment, a lot of those sites using plug-ins that you call "legacy" were doing things the only way they could just a few years ago. Even if they all worked properly today, those technologies I mentioned above have only been viable alternatives very recently. It's not realistic to expect everyone who has been developing tools built with plug-ins and sunk large amounts of time and money into developing them to just do a Big Rewrite into HTML5-friendly technologies to suit the browser makers. Given that most of those browser makers have made it abundantly clear that they don't really care about providing meaningful long term support for anything any more, I suspect before long they are going to start reaping what they have sown as they find people who build web apps increasingly sceptical about relying on unproven features. Ironically, they could even be strengthening the native software and mobile app markets in the long run.

        • It's not even as if Java is a huge security problem today. It's effectively been click-to-play by default in all major browsers for a long time, and the plug-in itself then has a bunch more security safeguards before it will trust remote code to do just about anything.

          As I seem to have to point out every time this subject gets raised, this is a horrible move in terms of preserving useful content on the web. A lot of things that have been done with plug-ins like Java or Silverlight are small and in-house, like the math lecturer's interactive visualisation of something in their course, or the applet some guy in sales wrote a few years ago for the intranet so the group managers could see a quick overview of how everything is going and copy the data straight into their Excel spreadsheet. Of course they have also been used for a lot of GUIs for networked devices, where things like drawing interactive charts wasn't possible using native web technologies until relatively recently.

          Many of these useful tools won't have dedicated maintainers and they aren't magically going to get rewritten to use the new blessed technologies. Closing them off in Firefox as well just means anyone who actually relies on them is now left on IE forever. Again.

          Internet explorer won't keep up with this forever. Does anyone have experience of the new Windows 10 browser (Edge) and Java?

          Where I work we have to deal with many sites where we are absolutely forced to use Java browser based apps. We have no option. Theres been talk that we might just have to write our own application to do this as browsers just can't be trusted not to lock us out of these systems.

          Some people I work with keep an old XP VM around with an old version of Java and an old browser just to be ab

          • Edge doesn't support Java applets at all.

            I think IE will continue to do so indefinitely, because Google and Mozilla just gifted a significant advantage to Microsoft for a significant number of their business customers.

            • IE 11 is the new eternal IE 6. Yes Windows 10 includes IE 11 AND Edge.

              Too many corporations refuae to ever upgrade unless their is a business case with a return on investment can be documented. Java desktop applets were depreciated in 2006 9 years ago!!

              Most require IE 6 anyway to render right so firefox won't help. Our customers at work require IE 6 emulated to 1998 quirks mode through citrix to run. Oddly it is still upgraded and developers just work around the 15 year old rendering bugs rather than rewrit

        • Yeah, chrome killing support for napia plugins has made a java remote appliance stop working the same way, a building lighting control system built on silverlight to stop working, and an hvac systems web interface. And thats just the building I work in....

          Right now, everyone is hoping microsoft or oracle or whomever will update plugins so that they work again in chrome. IETAB is a work around, however it sucks ass that internal tools firewalled off from the internet also get shafted. Upgrades for these kin

        • It's not even as if Java is a huge security problem today. It's effectively been click-to-play by default in all major browsers for a long time, and the plug-in itself then has a bunch more security safeguards before it will trust remote code to do just about anything.

          Agree. Expensive enterprise software often relies on applets, that's the way it is and how it will remain for some years.

          Now if Java or browsers had the ability to whitelist Java applets, then for an enterprise with control over its own applets, I actually don't see any particular security problem with applets running within a browser. Why not allow enterprises to run software they control and trust?

    • But was the screw up Flash, or the fact Flash was needed to make websites able to show animations, videos, and play audio, because until HTML5 nobody was willing to set the standards necessary?

      Flash didn't come out of no-where, it was necessary to implement certain concepts over the web - and to a certain extent, still is.

  • by Viol8 ( 599362 ) on Saturday October 10, 2015 @08:39AM (#50698463) Homepage

    "Plugins are a source of performance problems, crashes, and security incidents for Web users"

    So is your browser. And whatever happened to choice? If I want to use a plugin that may crash occasionally thats up to me - not you. What next - I can only view web pages that your browser deems acceptable? Asshats.

    • So is your browser.

      Which is exactly why Mozilla will very soon now get rid of the browser.

      And Mozilla will make that decision unilaterally. Mozilla will not listen to you. Mozilla knows what's best for you. You don't.

      One fine day your browser will simply remove itself. Because Mozilla said so.

  • What is NPAPI ?
    and does this have anything to do with the add=ons and plug=ins specific to Firefox and Seamonkey
    SAome of which break every time they put out a new version of FF

    I hear version 42 is out soon - any HHGTG easter eggs in it?

    • Re:Question (Score:5, Informative)

      by Sigma 7 ( 266129 ) on Saturday October 10, 2015 @09:47AM (#50698671)

      What is NPAPI ?

      NPAPI is the legacy plugin system used by browsers that allows webpages to serve executable content without the user having to download a file.

      This system is used by Flash, Unity, Java, and various unimportant plugins. Of these, Flash has an arrangement with Adobe, Unity has an exit strategy, and Java is completely neutered as it was for quite some time. The unimportant plugins are unimportant (and if they were, they'd have fixed it by now.)

      and does this have anything to do with the add=ons and plug=ins specific to Firefox and Seamonkey
      SAome of which break every time they put out a new version of FF

      Those are extensions, which is completely different.

    • Re:Question (Score:5, Informative)

      by fahrbot-bot ( 874524 ) on Saturday October 10, 2015 @02:21PM (#50699809)

      What is NPAPI ?

      Jesus you're lazy: NPAPI [wikipedia.org]

  • Firefox Tools->Addons->Plugins doesn't mention it.

  • by JBMcB ( 73720 )

    How am I going to play at NetBabyWorld without shockwave?

  • https://www.apple.com/hotnews/... [apple.com] (A bit old, but probably still relevant.)
  • by sethstorm ( 512897 ) on Saturday October 10, 2015 @11:24AM (#50699051) Homepage

    How long until we see forks of Firefox that don't give up on plugins?

  • by Joe_Dragon ( 2206452 ) on Saturday October 10, 2015 @12:01PM (#50699217)

    They need to get rid of the flash based one.

  • Pale Moon is based on an older Firefox base, but I'm very curious as to whether it will continue to support NPAPI after Firefox axes them. Anyone know for sure?

  • In August Mozilla announced they are going to deprecate XUL-based extensions, which hurts popular extensions such as DownThemAll. In fact the DTA dev has posted an insightful comment in his blog regarding this decision:
    http://www.downthemall.net/the-likely-end-of-downthemall/ [downthemall.net]

I've got a bad feeling about this.

Working...