Google pulls trigger, cripples some Chrome add-ons

Also takes one of the last steps to ban old-format extensions

Google is moving ahead with plans to aggressively lock down its Chrome browser by disabling most add-ons not installed from its curated app store and banning plug-ins built to a decades-old standard.

Google this week took more steps in its scheme to aggressively lock down its Chrome browser by disabling most add-ons that weren't installed from its curated app store and banning plug-ins built to a decades-old standard.

Some users called the moves "lame***" and "the single biggest intrusion into not only my browsing convenience, but my computer usage I've ever seen in my entire life."

In a pair of announcements, Google said it is now enforcing rules it had set earlier that force users to obtain add-ons -- the popular gadgets and enhancements that users pile on their browsers -- from the Chrome Web Store. It also made some of the final moves to bar NPAPI plug-ins from Chrome.

Beginning Tuesday, Google began imposing a rule that required extensions, also called add-ons, to originate from the Chrome Web Store for the Windows browser. The change does not affect the OS X or Linux versions of Chrome.

The Chrome Web Store is Google's official distribution channel for Chrome and Chrome OS add-ons, apps and themes.

Google, which has been tightening the screws on third-party add-ons for nearly two years, has claimed that unauthorized and occasionally malicious extensions are a leading complaint from users and a prime cause of problems.

"From now on, to protect Windows users from this kind of attack, extensions can be installed only if they're hosted on the Chrome Web Store," Erik Kay, an Google engineering director, said in a May 27 blog. "With this change, extensions that were previously installed may be automatically disabled and cannot be re-enabled or re-installed until they're hosted in the Chrome Web Store."

By forcing add-on developers to publish their work in the Store, Google moved another step closer to a "walled-garden" market, the kind popularized by Apple's mobile app ecosystem. That allows Google to vet the extensions and yank those that turn out to be malicious or do something without user approval, like access other parts of the PC or mine personal information.

In February, Google extended the deadline for the Chrome Web Store-only requirement to at least May 1, saying developers needed more time to move their add-ons to the market.

Businesses can hide their extensions on the store from the public at large -- or continue to use group policies to offer the add-ons to their workforce from their own servers -- and developers will still be able to initiate "in-line" installs from their website, assuming the add-on is also in the Chrome Web Store.

But users continued to gripe about the new policy. On a Chrome support forum, some who saw add-ons vanish went into rage mode.

"Kaspersky is essential, dip*****. Your lame *** nanny disabling of our extensions has left my computer vulnerable to all forms of malicious content now!" howled someone identified as Teo Purcell on the support forum yesterday. "Fix this **** or I'm done with this mess of a browser."

Another Chrome user was less profane, but just as angry after the browser disabled one of his favorite add-ons. "This is the single biggest intrusion into not only my browsing convenience, but my computer usage I've ever seen in my entire life," said "GODzillaGSPB" on Tuesday. "This is not okay. I will seek ways around it and if I don't find one I will uninstall this browser for good."

Also on Tuesday, Google's Chrome Web Store no longer showed NPAPI-based apps and extensions on the home page, search results, and category pages, essentially making them impossible to find.

NPAPI, for Netscape Plug-in Application Programming Interface, harks back to -- not surprisingly -- Netscape, the 1990s browser that Microsoft buried in its antitrust-triggering battle over the still embryonic browser market. The NPAPI architecture has long been criticized for slack security, with years of plug-in hacking -- particularly of Adobe Flash Player, Adobe Reader and Oracle's Java -- proving the critics right.

NPAPI has long been the most popular plug-in standard, and is still supported by Firefox, Opera and Safari. Microsoft's Internet Explorer has always relied on its own proprietary ActiveX architecture for extensions.

Meanwhile, Google has pursued its own plug-in architecture, dubbed PPAPI (Pepper Plugin API), pronounced "pepper," that runs code inside a "sandbox," an anti-exploit technology that prevents, or at least hinders, hackers from pushing their malware onto the machine.

Opera is the only other browser that currently supports PPAPI, not surprisingly since it's now built atop the same browser engine inside Chrome.

Last year, Google announced it would pull NPAPI support from Chrome by the end of 2014. Since then, it's automatically blocked most NPAPI-based plug-ins -- among the exceptions have been Microsoft's Silverlight and Oracle's Java -- and barred new plug-ins from its Chrome Web Store.

Tuesday, it took the step promised last September when it said it would hide NPAPI plug-ins within the Chrome Web Store. This fall, it will yank all NPAPI plug-ins from the market.

With Chrome 37, which should reach the "Stable" channel in late August or early September, Google will take yet another step by showing a more draconian warning to users who try to run a NPAPI plug-in.

"Support for NPAPI will be completely removed from Chrome in a future release, probably by the end of 2014," stated a developers guide on the death of NPAPI in Chrome.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about internet in Computerworld's Internet Topic Center.

This story, "Google pulls trigger, cripples some Chrome add-ons" was originally published by Computerworld .

Join the discussion
Be the first to comment on this article. Our Commenting Policies