Web browser makers Apple, Opera and Mozilla are collaborating on an expanded plug-in specification that allows for more powerful Web-based scripting - just as security concerns have finally convinced Microsoft to step back from its own scripting system, ActiveX.
The companies have signed up plug-in makers Adobe, Macromedia and Sun to back an expanded version of the Netscape Plugin Application Program Interface (NPAPI), a plug-in model used by most non-Microsoft browsers. The updated API will create a standardised way of increasing interactivity between browsers and plug-ins, which will be built into Apple's Safari, Mozilla's Firefox and the Opera browser.
Mozilla said the new API would shortly begin appearing in developer versions of Firefox, with finished versions shipping in browsers this autumn. The new features won't be usable until plug-in makers begin supporting them; future versions of PDF Reader, Java, Shockwave, Flash and QuickTime are to work with the new API, but developers didn't set a timeline.
"The old API was limiting, and when you hit a limit it's easy for different players to go off and find different solutions," said Opera chief executive Jon S. von Tetzchner. "We wanted to create something standardised that was also disjointed from Windows." The Mozilla Foundation, created by AOL last year to coordinate the Mozilla browser project, is leading the standardisation effort.
The aim is to allow browsers to share more data with plug-ins through scripting, a feature known as scriptability. Scriptability allows users to customise an item of clothing in a Flash movie, for example, and have the resulting pricing and availability information displayed in a browser window - something possible with ActiveX controls but not with the current NPAPI. The update uses a World Wide Web Consortium (W3C) recommendation called the Document Object Model (DOM), which lets scripting languages interact directly with Web-page elements such as plug-ins.
Security will be a major concern in rolling out the new API, according to the companies involved. The lack of ActiveX support has been a major reason why the Opera, Safari and Mozilla browsers remain more secure than Internet Explorer, according to security experts.
ActiveX was criticised by security experts from its introduction in the 1990s as little more than an invitation to remote attackers; unlike Java, which has built-in limitations on how applets can interact with the operating system, ActiveX controls can carry out virtually any function desired by the developer, including the installation of worms and Trojans. In 1997, for example, a Hamburg hacker group called Chaos Computer Club demonstrated a control that snatched money from one online bank account and deposited it into another, bypassing the users' login codes.
"ActiveX is a very profound Web technology. As a profound Web technology it may be abused," wrote eEye in a recent advisory. "Designers might create an ActiveX which could perform any function on an user's computer. The responsibility rests with the creator of the ActiveX, as in any trust model."
More recently the threats from ActiveX have become actual, rather than theoretical, with critical holes discovered in two IBM controls, and attacks via several major e-commerce sites using compromised ActiveX controls. A Microsoft update on Friday fixed one of the vulnerabilities.
The most recent attacks, along with a recommendation by security group US CERT that users consider not using Internet Explorer, has led to more interest in IE alternatives. The Mozilla Foundation said downloads of Firefox spiked from around 100,000 a day to 200,000 on the day of CERT's advisory. Opera Software said its downloads normally trail off at the beginning of the summer, but have instead risen.
In Windows XP Service Pack 2, due this summer, Microsoft will finally allow users to control scripting in the same way as pop-up ads - blocking or allowing all scripts, or being notified every time a script tries to run. The feature, a de facto admittance that ActiveX controls are a potential security risk, marks a shift in Microsoft's attitude, according to industry observers.
Developers didn't offer specifics on how the new NPAPI would deal with security issues, but said greater functionality doesn't necessarily need to mean shakier security, as long as it's developed the right way. "We're adding more functionality to the old plug-in interface, but at the same time we're always focussing on security," said von Tetzchner. "With Microsoft, in the past their focus has been more on just getting things done."
He said the new API would allow scripts with similar system access privileges to ActiveX controls, since plug-ins have always had full access to the system. "The question is to control how plug-ins are activated and misused," von Tetzchner said.