NPAPI

Netscape Plugin Application Programming Interface (NPAPI) is a cross-platform plugin architecture used by many web browsers.

It was first developed for Netscape browsers, starting in 1995 with Netscape Navigator 2.0, but was subsequently adopted in Internet Explorer 3 in 1996 and implemented by many other browsers, although some browsers later dropped support.

For stability and security reasons, Google Chrome decided, in 2013, to start phasing out support for NPAPI.^[1] As of Chrome version 42, NPAPI is disabled by default and must be re-enabled explicitly. Google intends to remove support entirely in version 45, due in September 2015.^[2][3]

A plugin declares that it handles certain content types (e.g. "audio/mp3"). When the browser encounters that content type it loads the associated plugin, sets aside space within the browser context for the plugin to render and then streams data to it. The plugin is then responsible for rendering the data. The plugin runs in-place within the page, as opposed to older browsers that had to launch an external application to handle unknown content types.

The application programming interface (API) requires each plugin to implement and expose approximately 15 functions for initializing, creating, destroying and positioning plugin content. The NPAPI also supports scripting, printing, full screen plugins, windowless plugins and content streaming.

History

The origin of the Netscape plugin functionality started at Adobe Systems. John Warnock, CEO of Adobe, and Allan Padgett, one of the primary authors of Acrobat Reader, were hopeful that Adobe's fledgling PDF file format could play a role beyond the desktop. Soon after Netscape released the first version of Navigator, Padgett and fellow developer Eswar Priyadarshan tried to find a way to make PDF an integral part of the Web experience. The result was a live demo shown to Warnock and Netscape CEO Jim Clark. Prior to that demo, the only native file formats on the Web were HTML pages and embedded images. Links to other file type caused the user to be prompted to download the file, after which the user could open the appropriate application. In that demo, however, when a user clicked on a link to a PDF file, the file was rendered within the browser window, seamlessly blending HTML and PDF consumption. Clark excitedly asked who at Netscape had provided support for the integration, only to discover that the integration was done without Netscape involvement, but by reverse engineering the Netscape browser.

The companies set out the next week to bring what was known as "Allan's Hack" to market. While Netscape was ready to incorporate PDF directly into the browser, and certainly Adobe would have gained from that, Padgett proposed his plugin architecture. Adobe developers Gordon Dow and Nabeel Al-Shamma had recently added a plugin architecture to the Acrobat Reader to leverage the development efforts of developers outside of the Reader team. Padgett had been a part of that effort, and he expected that if given a chance, other companies (and hopefully teams within Adobe) would choose to extend the Web as well. Clark and team in the end were convinced and set off designing the API that would support the new model.

Google announced later in 2013 that their browser will not support NPAPI plugins anymore, and will block plugins which use this technology. This includes Oracle's Java and Microsoft's Silverlight plugins, although these will be whitelisted during 5 months."^[4]

Scripting support

Scripting is a feature allowing JavaScript code in a web page to interact with the plugin. Various versions of Netscape and then Mozilla supported this feature using different technologies, including LiveConnect, XPConnect, and npruntime.

LiveConnect

With Netscape 4, the NPAPI was extended to allow plugins to be scripted. This ability was known as LiveConnect. A plugin could implement and return an instance to a Java class. The public methods exposed by this class was the scriptable interface for the plugin. The class could be called from JavaScript and from Java applets running within the page with the browser marshalling the calls between the various contexts.

The disadvantage of LiveConnect was that it was heavily tied to the version of Java within the Netscape browser. This prevented the browser from using other Java runtimes, and added bloat to the browser download size since it required Java to script plugins.

Additionally, LiveConnect was tricky to program. The developer had to define a Java class for the plugin, run it through a specialised Java header compiler and implement the native methods. Handling strings, exceptions and other Java objects from C++ was non-obvious. To compound matters LiveConnect used an earlier and now obsolete API for invoking native C++ calls from Java called JRI. The JRI technology has long been supplanted by JNI.

XPConnect

LiveConnect was problematic for Mozilla. The dependency on an obsolete and proprietary Java runtime and the JRI API meant that LiveConnect never really worked.

Mozilla was already using XPCOM to define the interfaces to many objects implemented in C++. Each interface was defined by an IDL file, and run through an IDL compiler that produced header files and a language neutral type library that was a binary representation of the interface. This binary described the interface, the methods, the parameters, the data structures and enumerations.

XPConnect uses the type library information to marshal calls between different thread contexts and between JavaScript and natively compiled C++. XPConnect is used extensively throughout Mozilla. Starting with Netscape 6.1 and Mozilla 0.9.2, NPAPI was extended so that a plugin could return a scriptable interface to itself and XPConnect would marshal calls to it from JavaScript and the C++ implementation.

XPConnect has no Java dependency, however the technology is based on XPCOM, which is similar to Microsoft COM. Thus the plugin developer must be familiar with reference counting, interfaces, IDL and more to implement scripting. The dependency on XPCOM led to certain dynamic linking issues (e.g. the fragile base class problem) which had to be solved before the plugin would work correctly with different browsers. XPCOM has since been changed to supply a statically linked version to address such issues. This approach also requires an .xpt file to be installed next to the DLL; otherwise the plugin will appear to work, but scripting won't, causing confusion.

NPRuntime

At the end of 2004, all major browser companies using NPAPI agreed on NPRuntime^[5] as an extension to the original NPAPI to supply scripting, via an API that is similar in style to the old C-style NPAPI and is independent of other browser technologies like Java or XPCOM. It is supported by Mozilla (1.7.5+) / Firefox, Safari, Opera and Chrome.

Browser support

The following web browsers support NPAPI plugins:

• Web
• Google Chrome / Chromium. In September 2013, Google announced that it would phase out NPAPI support in Chrome during 2014 because "NPAPI's 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity".^[6] NPAPI support was removed from the Linux version of Chrome in May 2014 (version 35).^[7] NPAPI support is disabled by default since April 2015 (version 42) for Windows and OS X, but can be turned on in the settings. Google plans to drop Chrome NPAPI support from all platforms in September 2015.^[8]
• Safari
• Konqueror
• WebOS Isis browser
• Mozilla project applications, including
  • Camino
  • Firefox: Firefox has reduced support for NPAPI from version 30 on.^[9]
  • Mozilla Application Suite
  • SeaMonkey
• Netscape Navigator and Communicator
• Opera: NPAPI support will be deprecated from Opera 20 onward.
• Odyssey Web Browser on MorphOS
• Qupzilla
• Internet Explorer up to 5.5SP2. Internet Explorer for a time supported NPAPI plugins, allowing plugins that functioned in Netscape Navigator to also function in Internet Explorer. Support came via a small ActiveX control implemented within a "plugin.ocx" file that acted as a "shim" between ActiveX and the NPAPI plugin. IE would load the control and use it to host plugins specified within the page. However, Microsoft saw this as a security issue and dropped support in version 5.5 SP2 and later in MS03-015 for IE 5.01.^[10][11][12]

Security

On Microsoft Windows, a popular misconception concerning the NPAPI technology is that a plugin is somehow inherently safer than an ActiveX control. Both run native machine instructions with the same privileges as the host process. If the host processes have broad privileges, a malicious plugin can do as much damage as a malicious ActiveX control. It is important to note that NPAPI plugins can be made much safer by simply running in a limited user account. It is generally possible to install and run plugins with a limited user, while installing ActiveX controls requires administrative privileges (prior to IE8) even when the ActiveX runs in a limited account. When running with limited privileges, a plugin cannot do as much damage.

One important difference between NPAPI and ActiveX is that NPAPI is solely for Internet plugins, while ActiveX is used for a wide variety of purposes, including application composition in Windows applications. A typical Windows user has a vast array of ActiveX controls installed, a number of which are probably marked "safe for scripting", but are not actually secure. Any of these can be used as means to subvert the user's computer prior to the introduction of the ActiveX Opt-in feature in Internet Explorer 7.^[13]

Another difference is that NPAPI implementations (prior to Mozilla Firefox, see below) did not offer to automatically download or install missing plugins. A missing plugin caused the browser to display a jigsaw piece representing the plugin. If the user clicked on that they were directed to Netscape's plugin finder service where they could manually download and install the plugin for themselves. While this is inconvenient to the user, it is also an important security measure since it prevented the content using the browser as a vector for malware.

In Internet Explorer, the HTML content specifies the location where the ActiveX control resides. If the control is not already installed, IE offers to download and install the control from the specified source. For legitimate controls, this offers a more streamlined installation mechanism with minimal user interaction. However malicious content could convince the user with clever social engineering to ignore warnings (or their better judgement) and install something that might harm their privacy or the machine. A number of spyware, adware and malware sites use this mechanism to deploy executable content to machines. Microsoft has had to increase the default security settings for ActiveX and maintain blacklists of malicious controls in an attempt to mitigate this risk.

Mozilla Firefox attempts to occupy a middle ground. If a plugin is missing, it notifies the user that the plugin is missing and initiates a secure connection to a plugin finder service hosted on mozilla.org. The user can permit Firefox to download and install the plugin. This model prevents content specifying where a plugin should be downloaded from – the plugin finder service does. This enables Firefox to present a fairly seamless installation mechanism but limit the service to trusted and compatible plugins from reliable sources. This model implicitly trusts the plugin finder service to return "good" plugins, increasing the security required on the host site.

PPAPI

On August 12, 2009, a page on Google Code introduced a new project, Pepper, with the associated Pepper Plugin API (PPAPI),^[14] "a set of modifications to NPAPI to make plugins more portable and more secure".^[15] This extension is designed specifically to ease the implementation of out-of-process plugin execution. Further, the goals of the project are to provide a framework for making plugins fully cross-platform. Topics considered include:

• Uniform semantics for NPAPI across browsers.
• Execution in a separate process from the renderer/browser.
• Standardize rendering using the browser's compositing process.
• Defining standardized events and 2D rasterization functions.
• Initial attempt at providing 3D graphics access.
• Plugin registry.

Browser support

The following web browsers support PPAPI plugins:

• Google Chrome
  • Chromium Google's open source browser was the development web browser that first utilized the new browser plug-in model.^[16]
• Opera (since version 24^[17])

On 26 May 2011, Mozilla announced that it was "not interested in or working on Pepper at this time."^[18]

In February 2012, Adobe Systems announced that future GNU/Linux versions of Flash Player would only be provided via PPAPI, although the previous release, Flash Player 11.2, with NPAPI support, would receive security updates for five years.^[19]

See also

• Netscape Server Application Programming Interface (NSAPI)

References

External links

• Plugin development documentation on Mozilla Developer Center, including the NPAPI API
• An ActiveX control that hosts plugins – a replacement for plugin.ocx that was removed from Internet Explorer.
• Book on Programming Netscape Plug-Ins by Zan Oliphant
• Nixysa: A glue code generation framework for NPAPI plugins. Apache 2.0 license.
• NPAPI Tutorial Building a Firefox Plugin (Part two, Part three, Part four)
• Opera 15+ extensions documentation

Web interfaces Server-side Protocols CGI SCGI FCGI AJP WSRP WebSocket Server APIs C NSAPI C ASAPI C ISAPI COM ASP Java servlet container Portlet container CIL System.Web.IHttpHandler Python WSGI Ruby Rack JavaScript JSGI Perl PSGI Lua WSAPI Apache modules mod_jk mod_lisp mod_mono mod_parrot mod_perl mod_php mod_proxy mod_python mod_wsgi mod_ruby Phusion Passenger Topics Web resource vs. Web service Open API Webhook Application server comparison Client-side Browser APIs C NPAPI LiveConnect XPConnect C NPRuntime C PPAPI NaCl COM ActiveX Framework APIs W3C Audio Canvas CORS File Geolocation IndexedDB Microdata SSE SVG Video WebRTC WebSocket Web messaging Web storage Web worker XMLHttpRequest Khronos WebCL WebGL Others Gears Web SQL Database (formerly W3C) Topics Mashup Web IDL

Mozilla   Projects Mozilla Labs Bonsai Bugzilla ChatZilla Electrolysis Project Jetpack Lightning Penelope Persona Prism Raindrop Skywriter Sunbird Sync Tinderbox Ubiquity Mozilla Research Firefox OS OpenFlint Rust Servo Mozilla Foundation Firefox 1 1.5 2 3 3.5 3.6 4 5–current Future releases for Mobile SeaMonkey Thunderbird Origins Mozilla Application Suite Netscape Navigator Netscape Communicator Netscape Communications Beonex Communicator Forks BurningDog Classilla Flock Gnuzilla Iceape IceCat Icedove Iceowl Miro Netscape 9 Portable Edition Swiftfox Swiftweasel TenFourFox xB Browser Frameworks add-on Gecko Necko NPAPI XPConnect XBL XPCOM XPInstall XUL XULRunner Components Application Object Model Composer NSPR NSS Rhino SpiderMonkey Tamarin Venkman Discontinued Calendar Project Camino Grendel Minimo   Organization Foundation Former Mozilla Organization Mozilla Foundation Subsidiaries Mozilla Corporation Mozilla Messaging Mozilla Online Official affiliates Mozilla China Mozilla Europe Mozilla Japan Mozilla Taiwan People Mitchell Baker Brendan Eich   Community mozdev.org Mozilla Add-ons Mozilla Developer Network MozillaZine Spread Firefox   Misc. The Book of Mozilla Mozilla Public License rebranding / forking mascot Code Rush Mozilla localizations

Netscape Browser versions Mosaic Netscape Netscape Navigator 1 2 3 4 Netscape Communicator 4 5 Netscape 6 7 Netscape Browser 8 Netscape Navigator 9 Netscape Plugin Application Programming Interface (NPAPI) E-mail clients Netscape Mail & Newsgroups Netscape Messenger 9 Other components Netscape Composer Server software Netscape Enterprise Server Netscape Application Server Netscape Proxy Server Netscape Directory Server Netscape Server Application Programming Interface (NSAPI) Web services Netscape.com Propeller.com Open Directory Project Netscape ISP People Eric J. Bina James H. Clark Brendan Eich Daniel Glazman Jamie Zawinski Lou Montulli Marc Andreessen Eric A. Meyer Mitchell Baker See also Gecko JSSS Mariner Netscape 5 Netscape Public License Mozilla AOL iPlanet