Browser plug-ins are on their way out. Apple’s iOS has never supported plug-ins, Flash is long-discontinued for Android, and the new version of IE for Windows 8 doesn’t support most plug-ins. Chrome will soon be blocking traditional NPAPI browser plug-ins.
The web isn’t going in reverse and losing features. There’s a good reason browser plug-ins are going away, and the web will be better once they’re gone. Browser developers are integrating plug-in features into browsers themselves.
Why Browser Plug-ins Were Created
Browser plug-ins were very necessary when they were created. At the time, browsers were fairly immature. Worse yet, browser development eventually came to a standstill. Microsoft’s Internet Explorer 6 was released in 2001 around the time Windows XP was originally released. As Microsoft had “won” the browser wars and were on top, they decided to pull their developers off Internet Explorer and stop developing IE entirely. The next version of Internet Explorer, IE 7, was released in 2006, over five years later. IE 7 and even IE 8, released 8 years later in 2009, were a fairly small improvements over IE 6.
For over five years, browser development for most web users had stagnated. This slow browser development created big opportunities for plug-in developers. Adobe’s Flash player expanded to include support for video playback as well as animations and other features. Microsoft developed Silverlight released it in 2007 to provide streaming media and animation support — it was basically Microsoft’s Flash competitor.
Other plug-ins were also created to fill holes in web browsers. The Unity plug-in provides 3D graphics support, the Google Voice and Video plug-in gives Google’s Hangouts and Talk services access to a system’s microphone and webcam, and so on.
Even in the early days before Internet Explorer 6 stagnated so badly, browser plug-ins were used to add features to web browsers that the browsers themselves just didn’t have. If you’ve been around the web long enough, you’ll remember going to a video playback page online and being presented with a choice of using Windows Media Player, QuickTime, or RealPlayer to play the video. These three incompatible plug-ins were all different ways of adding video playback to the web. There was no built-in way for browsers to play videos, nor was there a web-wide standard for video playback. We eventually standardized on Flash, and now we’re moving away from it.
Why Browser Plug-ins Are Bad
Browser plug-ins have proven to be a problem for the web. Here are some of the biggest problems with them:
- Security: Browser plug-ins have proven to be more insecure than browsers themselves, and Flash and Java are some of the biggest attack vectors on the web. This is aggravated by the fact that everyone has the same Flash or Java plug-in, no matter what browser or operating system they use. This means that an attack on the plug-in should work across every browser and operating system.
- No Sandboxing: Security problems are made worse because traditional browser plugins written using NPAPI (Netscape Plugin Application Programming Interface) or ActiveX aren’t sandboxed. They have complete access to the entire user account and its operating system permissions. A hole in the plug-in gives access to the entire operating system. Meanwhile, browsers render web pages in a sandbox, which is harder to escape. Chrome’s new Pepper API (PPAPI) sandboxes plug-ins, and the new version of Flash for Chrome uses this Pepper API instead of NPAPI.
- Cross-Platform Problems: Plug-ins are created by a single vendor, which means there’s only a single implementation and it only runs on the vendor’s supported platforms. For example, let’s say you want to watch Netflix on Linux — you can’t do this in a supported way, because Microsoft doesn’t provide Silverlight for Linux. Or, let’s say you want to play some Flash games on your iPad — you can’t do this either, because Adobe Flash doesn’t run on iOS. In both cases, Linux developers or Apple developers can’t write their own support for Silverlight or Flash. It’s not an open standard like web standards are, where you can have multiple implementations implemented by different people.
- Stability: Plug-ins have also been a leading cause of crashes, especially when their crashes brought down entire web browsers. Thankfully, due to Chrome’s sandboxing and Firefox’s plug-in isolation, crashing plug-ins only crash themselves nowadays. There’s no way for browser developers to fix these crashes; they have to rely on the plug-in’s developers to fix them. You can’t just switch to another version of the plug-in if one is crashing for you — there’s only one option.
Between security and the struggles to make plug-ins work well across different mobile and desktop platforms, it’s no wonder that plug-ins are falling out of favor. They’re also foreign objects to web browsers — they render content differently and can’t be integrated with web pages in the same way standard HTML code can.
What’s Replacing Browser Plug-ins
In the early days of the web, plug-ins allowed for features to be developed in parallel and compete — witness all the different video playback plug-ins. They also allowed third-parties to add new web page features when web browser development stagnated.
We’re now in a much healthier environment of rapid browser development and web standards. We have competition between a variety of web browsers and even Microsoft is making an attempt to adhere to web standards in a way they never did in the past.
Many of the features plug-ins implemented are now being introduced in the form of built-in browser features. Many of them are already implemented, while some are only still in development. Here’s what’s replacing the most popular plug-ins:
- Flash: Flash is used for many different things, including video playback and animations. Flash is already being phased out for video playback by HTML5 video, as sites like YouTube are transparently using more HTML5 video instead of Flash. When it comes to animations, many new HTML5 features are filling in where Flash was once required.
- Java: Java is already being phased out, as Java applets on web pages have proven to be insecure because the plug-in is the security equivalent of Swiss cheese. Java essentially provides a way of embedding entire programs on web pages, and this hasn’t worked out well.
- Silverlight: Microsoft is ending development on Silverlight, which is only used for video playback on a few sites at the moment. Netflix, the biggest user of Silverlight, is moving to HTML5 video playback.
- Unity 3D: The Unity 3D plug-in allows for 3D games to be embedded on web pages. 3D graphics on web pages are now possible without any plug-ins thanks to WebGL.
- Google Earth Plug-in: Google’s Google Earth plug-in has already been replaced. You can view a complete, 3D Google Earth scene in Google Maps with WebGL.
- Google Voice and Video: The Google Voice and Video plug-in is still required for Hangouts and Google Talk calls. It will be replaced by the WebRTC standard for plug-in free real-time audio and video communication.
With plug-in features being rolled into browsers themselves, we’ll end up with a more secure, powerful web. Plug-ins are still necessary for the moment, but they’re on their way out. They were very useful at one time, but we’re moving beyond them.
The Flash plug-in will be with us for a while longer as it’s still in such wide use, but all other plug-ins are on the brink of irrelevance. Even Flash is becoming less and less relevant thanks to mobile platforms without Flash support. This is fine by most plug-in developers — Adobe has developed tools that export to HTML5 instead of Flash, Oracle probably wants the extremely insecure Java plug-in to go away and stop sullying their security record, and Microsoft is no longer interested in pushing Silverlight as a Flash competitor.