User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.32 Safari/535.7 Steps to reproduce: 1. Install an extension which provides a bundled NPAPI Plugin 2. Access a page that references that plugins mime-type 3. Execute methods exposed by the plugin Actual results: The plugin loads regardless of the user or extension developers desire to make the plugin accessible only to the extension that provides it. Expected results: Extensions should not automatically make bundled NPAPI plugins globally accessible as it creates issues related to user security and can cripple functionality. For example, I have developed an extension which uses a bundled NPAPI plugin to provide access to a user-level system resource; however in Firefox I am not able to indicate that only the providing extension can access those methods and the NPAPI plugin is made globally available to other extensions and can also be instantiated on a malicious website. Furthermore, I imagine it is possible that a malicious extension could provide an NPAPI plugin that mimics the functionality of a trusted plugin - such as Adobe Flash - and trick the user into exposing sensitive information. Chromium for example has a manifest flag that allows bundled plugins to be either public or private to the extension that provides it, which removes the necessity for the otherwise browser agnostic NPAPI Plugin to have browser and extension subsystem specific logic that enforces such a rule.
I don't know why you would use NPAPI for anything other than showing content. If you're looking for an easy way to access system libraries, js ctypes is probably what you're looking for: https://developer.mozilla.org/en/js-ctypes. Moving to Core > Plugins, since there is where such a change would be considered.
This is a valid enhancement request. I'd like this to be done, but I doubt that it's very high-priority. I will at least write a feature page so that blizzard and product drivers are aware and can make priority decisions.
Resolving old bugs which are likely not relevant any more, since NPAPI plugins are deprecated.