Chromium Blog
News and developments from the open source browser project
The road to safer, more stable, and flashier Flash
Wednesday, August 8, 2012
A little more than two years ago, engineers on the Chrome team began a very ambitious project. In coordination with Adobe, we started porting Flash from the aging NPAPI architecture to our sandboxed PPAPI platform. With
last week’s Chrome Stable release
, we were finally able to ship PPAPI Flash to all Windows Chrome users, so they can now experience dramatically improved security and stability as well as improved performance down the line.
To appreciate just what a big step forward this is, it helps to understand a bit more about the history and architecture of
NPAPI plug-ins
. At its core, NPAPI is a thin layer of glue between the web browser and a native application. In the early days of the Web this provided a tremendous advantage, because it allowed third-party plug-ins to evolve rapidly and implement new capabilities, moving the whole web forward.
Unfortunately, as the web evolved, the past benefits of NPAPI became liabilities. The thinness allowed legacy browser and OS behavior to bleed through and crystallize to the point that it hamstrung future improvements. As browsers add compelling features like sandboxing, GPU acceleration, and a multi-process architecture, the legacy of NPAPI severely impedes or outright prevents us from extending those improvements to any pages with plug-in content.
By porting Flash to PPAPI we’ve been able to achieve what was previously impossible with NPAPI for the
99.9% of Chrome users that rely on Flash
. Windows Flash is now inside a sandbox that’s as strong as Chrome’s native sandbox, and dramatically more robust than anything else available. And for the first time ever, Windows XP users (specifically, over 100 million Chrome users) have a sandboxed Flash—which is critical given the absence of OS support for security features like
ASLR
and
integrity levels
.
Beyond the security benefits, PPAPI has allowed us to move plug-ins forward in numerous other ways. By eliminating the complexity and legacy code associated with NPAPI, we’ve reduced Flash crashes by about 20%. We can also composite Flash content on the GPU, allowing faster rendering and smooth scrolling (with more improvements to come). And because PPAPI doesn’t let the OS bleed through, it’s the only way to use all Flash features on any site in Windows 8 Metro mode.
Moving forward, we’re finishing off the PPAPI Flash port for Mac OS X and hope to ship it soon. And Linux users have already been benefiting from PPAPI Flash since Chrome 20, along with Chrome OS users who have been running it for almost a year. Soon all Chrome users will have access to the improved security, stability, and performance of PPAPI Flash.
Posted by Justin Schuh, Software Engineer and Boring Security Guy
Labels
$200K
1
10th birthday
4
abusive ads
1
accessibility
1
ad blockers
1
ad blocking
2
advanced capabilities
1
android
1
anti abuse
1
anti-deception
1
background periodic sync
1
badging
1
benchmarks
1
beta
22
better ads standards
1
billing
1
birthday
4
blink
2
browser
2
browser interoperability
1
bundles
1
capabilities
6
capable web
1
cds
1
cds18
2
cds2018
1
chrome
28
chrome ads
1
chrome apps
4
chrome dev summit
1
chrome dev summit 2018
1
chrome dev summit 2019
1
chrome developer
1
Chrome Developer Center
1
chrome developer summit
1
chrome devtools
1
Chrome extension
1
Chrome Frame
1
Chrome lite
1
Chrome on Android
1
chrome privacy
3
chrome security
4
chrome web store
29
chromedevtools
1
chromeframe
3
chromeos
3
chromium
4
cloud print
1
coalition
1
coalition for better ads
1
contact picker
1
content indexing
1
cookies
1
csrf
1
css
1
dart
8
dashboard
1
Data Saver
3
Data saver desktop extension
1
day 2
1
deceptive installation
1
declarative net request api
1
design
1
Developer Program Policy
1
devtools
13
discoverability
1
DNS-over-HTTPS
2
DoH
2
emscriptem
1
enterprise
1
extensions
27
faster web
1
features
1
feedback
2
field data
1
frameworks
1
fugu
2
fund
1
funding
1
gdd
1
google earth
1
google io 2019
1
google web developer
1
googlechrome
12
harmful ads
1
html5
11
iframes
1
images
1
incognito
1
intent to explain
1
ios
1
ios Chrome
1
javascript
5
lab data
1
lazy-loading
1
lighthouse
2
linux
2
Lite Mode
2
Lite pages
1
loading interventions
1
loading optimizations
1
mac
1
manifest v3
1
mobile
2
na
1
native client
8
native file system
1
New Features
5
notifications
1
octane
1
open web
4
origin trials
2
pagespeed insights
1
pagespeedinsights
1
payment handler
1
payment request
1
payments
1
performance
3
performance tools
1
permission UI
1
play store
1
portals
3
privacy
1
privacy sandbox
1
progressive web apps
2
Project Strobe
1
protection
1
pwa
1
quieter permissions
1
releases
3
removals
1
rlz
1
safe browsing
1
security
34
site isolation
1
slow loading
1
sms receiver
1
spdy
2
spectre
1
speed
1
ssl
2
store listing
1
strobe
1
subscription pages
1
suspicious site reporter extension
1
tools
1
transparency
1
trusted web activities
1
twa
2
user data policy
1
v8
6
video
1
wasm
1
web
1
web apps
1
web assembly
1
web intents
1
web packaging
1
web payments
1
web request api
1
web.dev
1
webapi
1
webassembly
1
webaudio
3
webgl
7
webkit
5
webmaster
1
webp
5
webrtc
5
websockets
5
webtiming
1
writable-files
1
yerba beuna center for the arts
1
Archive
2020
Feb
Jan
2019
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2018
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2017
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2016
Dec
Nov
Oct
Sep
Aug
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Feed
Follow @ChromiumDev
Give us feedback in our
Product Forums
.
