Oracle has announced it will drop support for the Java browser plug-in in the next release of the Java Development Kit, JDK 9, which is expected to be released in early 2017.
At issue is support for the Netscape Plugin Application Programming Interface (NPAPI), which is being phased out of various browsers for a variety of reasons, primarily security. Oracle, like other Web technology providers, is moving away from NPAPI.
NPAPI enables plug-ins to be developed for Web browsers. It was first developed for Netscape browsers, starting in 1995 with Netscape Navigator 2.0, but was subsequently adopted by other browsers. Code running in an NPAPI plug-in has the full permissions of the current user and is not sandboxed or shielded from malicious input.
“By late 2015, many browser vendors have either removed or announced timelines for the removal of standards based plug-in support, eliminating the ability to embed Flash, Silverlight, Java and other plug-in based technologies,” Dalibor Topic, principal product manager at Oracle, said in a blog post announcing the move.
“The rise of Web usage on mobile device browsers, typically without support for plug-ins, increasingly led browser makers to want to restrict and remove plug-in support from their products, as they tried to unify the set of features available across desktop and mobile versions,” said Donald Smith, senior director of product management at Oracle, in a blog post. “Coincidental with the rise of mobile was the emergence of the ‘app store’ model rather than ‘plug-in based’ models for application delivery. The “app store” model grew for reasons related to simplicity, security, and centralized availability. Given these evolutions in mobile, delivery, and capabilities, the set of browsers that continue to support standards based plug-ins has shrunk over time.”
For its part, Topic said Oracle plans to deprecate the Java browser plug-in in JDK 9. The technology will be removed from the Oracle JDK and the Java Runtime Environment in a future Java SE release.
“With modern browser vendors working to restrict and reduce plug-in support in their products, developers of applications that rely on the Java browser plug-in need to consider alternative options such as migrating from Java Applets (which rely on a browser plug-in) to the plug-in-free Java Web Start technology,” Topic said.
Early access releases of JDK 9 are available for download and testing at http://jdk9.java.net.
“Oracle’s JDK team has wanted to do this for some time,” Simon Ritter, deputy CTO at Java runtime provider Azul Systems, told eWEEK. “If you look at the security vulnerabilities reported for Java in the last few years, the vast majority have been in the plug-in, affecting browser-based applications, and via Java Web Start. Since the Java plug-in or Web Start is not part of the Java SE standard, Oracle — or any other Java platform provider — is under no obligation to support this. Since the trend for some time has been a movement away from the use of the Java plug-in and Web Start due to security concerns, removing them over time does remove potential security vulnerabilities that Oracle and the Java community has struggled to consistently eliminate.”
Google announced plans to begin phasing out support for NPAPI over two years ago. “Today’s browsers are speedier, safer, and more capable than their ancestors,” Google’s post on the issue said. “Meanwhile, NPAPI’s 90s-era architecture has become a leading cause of hangs, crashes, security incidents, and code complexity. Because of this, Chrome will be phasing out NPAPI support over the coming year.”
Mozilla provided a timeline for phasing out NPAPI support, saying plug-ins will stop working in all versions of Firefox by the end of 2016.
“Websites and publishers which currently use plug-ins such as Silverlight or Java should accelerate their transition to Web technologies,” Mozilla’s post on the issue said. “The Web platform is powerful and can usually do everything that a plug-in can do. In the rare cases where a site needs to extend Web technologies, the recommended solution is to develop the additional features as a Firefox add-on.”
IDC analyst Al Hilwa agreed with Mozilla’s stance on the matter.
“I think the team is doing the right thing to clean up the JDK code-base and reduce complexity,” Hilwa told eWEEK. “The browser plug-in has been problematic, but more importantly, in the face of trends in client-side software development, it makes great sense to make the move now. The world is shifting towards HTML5, and while there are legacy apps that use various plug-in technologies, like Flash, Silverlight and Java, they are likely to gradually make way for rewritten apps that operate without a plug-in. For Java this is a positive step to reduce its complexity and surface area, and focus it on staying current with what’s changing in platform and app dev trends.”