2

I am new to Native Client; and new to plugins/extensions too. It strikes me that plugins/extensions are "better" than NaCl in some respects:

  1. Can compile plugin/extension anywhere/anyhow to produce a plain old DLL or a .so; NaCL needs binary produced only by the NaCl toolchain.

  2. Plugin/extension is portable across browsers (e.g., it is supposed to run in FIrefox and more, as well as in Chrome). This because plugins/extensions adhere to a de facto standard introduced in Netscape 3.

If that's all true, then what are the advantages of NaCl over plugins/extensions?

Richard J. Ross III
  • 55,009
  • 24
  • 135
  • 201
Pete Wilson
  • 8,610
  • 6
  • 39
  • 51

2 Answers2

7

In a word: security. NPAPI plugins are unsandboxable. They're native code, running out-of-process and outside of the browser's sandbox, meaning that they can do anything at all on your machine.

NaCl, on the other hand, runs inside Chrome's sandbox, and provides access only to a well-defined set of APIs. Clever compilation tricks ensure that code can't break out and start (intentionally or accidentally) maliciously executing untrusted methods.

http://www.chromium.org/nativeclient/getting-started/getting-started-background-and-basics is a good resource for an overview of the differences. I'd recommend at least skimming it to get an idea of what NaCl is trying to achieve.

Mike West
  • 5,097
  • 25
  • 26
  • Still, I don't get it. After all, it's my code that's running, so there's no security risk. Furthermore, NaCl runs as a plugin. So, as I say, I don't get it. – Pete Wilson Mar 23 '12 at 14:23
  • @PeteWilson: The security risk is A) That your code has a bug and B) That your code is malicious (if you plan for other people to use your extension). Also, NPAPI does not work when running Chrome in Metro mode. – Brian Aug 09 '12 at 18:27
7

First, you keep saying "plugins/extensions", but extensions and NPAPI plugins are completely different. NPAPI plugins are binary, and (as you said) cross-browser. Extensions are per-browser; each browser has their own set of extension APIs and capabilities, but they are generally written in HTML/CSS/JS.

As for your question: in addition to the very important security aspect mentioned in another answer: platform portability. If you want to do drawing, event handling, play sounds, etc. in NPAPI you need to write three completely different implementations--Windows, Mac, and Linux--and you need to ship three separate copies of your plugin. NaCl/Pepper has platform-neutral abstractions for everything.

smorgan
  • 20,228
  • 3
  • 47
  • 55
  • I see, thanks. I didn't catch the part about platform-neutral abstractions in the docs. Very important, for sure. – Pete Wilson Mar 15 '12 at 09:34