Google Chrome Browser Plays Nicer in New Flash Sandbox

As part of its latest Chrome 21 Web browser, Google dramatically improved Flash performance and stability in Chrome for users by porting Flash to its new sandboxed PPAPI platform.

Download the authoritative guide: How to Develop an IT Security Strategy

When the latest Version 21 of Google's Chrome Web browser was released July 31, one big development got little notice at the time: Chrome 21 now finally includes an updated Flash integration that means improved security, stability and performance for Microsoft Windows Chrome users.

More than just a minor tweak, Chrome 21 now includes a new sandboxed PPAPI platform that brings noticeable improvements for users running plug-ins such as Adobe Flash, according to an Aug. 8 post by Justin Schuh, a Chrome software engineer, on Google's Chromium Blog.

"With last week's Chrome Stable release, we were finally able to ship PPAPI Flash to all Windows Chrome users, so they can now experience dramatically improved security and stability as well as improved performance down the line," wrote Schuh in his post.

The porting work began about two years ago in coordination with Adobe, he said, when the older NPAPI architecture began to show its age.

PPAPI, or the Pepper Plug-in API, is a cross-platform API for plug-ins for Web browsers. NPAPI is a Netscape Plug-in API, dating back to the now defunct Netscape Navigator 2.0 browser.

The move to PPAPI is big, wrote Schuh.

"At its core, NPAPI is a thin layer of glue between the Web browser and a native application. In the early days of the Web, this provided a tremendous advantage, because it allowed third-party plug-ins to evolve rapidly and implement new capabilities, moving the whole Web forward," Schuh added.

Nowadays, though, the past benefits of NPAPI became liabilities because that very thinness that was beneficial earlier "allowed legacy browser and OS behavior to bleed through and crystallize to the point that it hamstrung future improvements," Schuh wrote. "As browsers add compelling features like sandboxing, GPU acceleration and a multi-process architecture, the legacy of NPAPI severely impedes or outright prevents us from extending those improvements to any pages with plug-in content." That's why Flash was ported to PPAPI.

"Windows Flash is now inside a sandbox that's as strong as Chrome's native sandbox, and dramatically more robust than anything else available," wrote Schuh. "And for the first time ever, Windows XP users (specifically, over 100 million Chrome users) have a sandboxed Flash-which is critical given the absence of OS support for security features like Address Space Layout Randomization (ASLR) and integrity levels."

The switch to PPAPI also allowed developers to reduce Flash crashes for users by about 20 percent "by eliminating the complexity and legacy code associated with NPAPI," wrote Schuh. Another breakthrough is that developers can composite Flash content on the GPU, allowing faster rendering and smooth scrolling and even more room for improvement, according to the post.

A similar PPAPI Flash port is also still in the works for Mac OS X with hopes to ship it soon, wrote Schuh. Linux users have been seeing the improvements with PPAPI Flash since Chrome 20 was released, along with Chrome OS users who have been running it for almost a year, the post stated.

The Flash integration changes follow previous announcements from Adobe that it was winding down support for mobile versions of Flash as it moved the application over to the new HTML5 standards.

The new Chrome 21 also includes 15 bug fixes, as well as support for Apple's high-resolution Retina displays for Macs and iPads.

It also includes a new getUserMedia API, which allows users to grant Web apps access to cameras and microphones without a plug-in, according to a Google Chrome Blog post. The getUserMedia API is the first step in WebRTC, a new real-time communications standard that aims to allow high-quality video and audio communication on the Web, according to Google.